commit: 33b57a73d408aac6891a4ed8c3281577cc4a54fd
parent ecc7a257aae1de11f4a5ca77402e3d12cf973061
Author: Michael Forney <mforney@mforney.org>
Date: Wed, 22 Apr 2020 21:42:09 -0700
libfido2: Switch to oasis repository
Diffstat:
10 files changed, 2 insertions(+), 2819 deletions(-)
diff --git a/.gitmodules b/.gitmodules
@@ -122,7 +122,7 @@
ignore = all
[submodule "pkg/libfido2/src"]
path = pkg/libfido2/src
- url = https://github.com/Yubico/libfido2.git
+ url = https://github.com/oasislinux/libfido2.git
ignore = all
[submodule "pkg/libgpiod/src"]
path = pkg/libgpiod/src
diff --git a/pkg/libfido2/patch/0001-hid_linux-Use-sysfs-instead-of-libudev.patch b/pkg/libfido2/patch/0001-hid_linux-Use-sysfs-instead-of-libudev.patch
@@ -1,212 +0,0 @@
-From eec0c3a3cf1528185c8e1bdcf94733e27d5d8d51 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Fri, 1 Nov 2019 19:39:45 -0700
-Subject: [PATCH] hid_linux: Use sysfs instead of libudev
-
----
- CMakeLists.txt | 2 -
- src/hid_linux.c | 103 ++++++++++++++++++------------------------------
- 2 files changed, 39 insertions(+), 66 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 0bb2e87..5262ca8 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -100,8 +100,6 @@ else()
- endif()
-
- if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
-- pkg_search_module(UDEV libudev REQUIRED)
-- set(UDEV_NAME "udev")
- # Define be32toh().
- add_definitions(-D_GNU_SOURCE)
- # If using hidapi, use hidapi-hidraw.
-diff --git a/src/hid_linux.c b/src/hid_linux.c
-index 99c5afb..fa30ab2 100644
---- a/src/hid_linux.c
-+++ b/src/hid_linux.c
-@@ -9,8 +9,9 @@
- #include <sys/ioctl.h>
- #include <linux/hidraw.h>
-
-+#include <dirent.h>
- #include <fcntl.h>
--#include <libudev.h>
-+#include <stdio.h>
- #include <string.h>
- #include <unistd.h>
- #include <errno.h>
-@@ -147,23 +148,20 @@ is_fido(const char *path)
- }
-
- static int
--parse_uevent(struct udev_device *dev, int16_t *vendor_id, int16_t *product_id)
-+parse_uevent(const char *path, int16_t *vendor_id, int16_t *product_id)
- {
-- const char *uevent;
-- char *cp;
-- char *p;
-- char *s;
-+ FILE *fp;
-+ char *p = NULL;
-+ size_t n = 0;
- int ok = -1;
- short unsigned int x;
- short unsigned int y;
-
-- if ((uevent = udev_device_get_sysattr_value(dev, "uevent")) == NULL)
-+ fp = fopen(path, "r");
-+ if (!fp)
- return (-1);
-
-- if ((s = cp = strdup(uevent)) == NULL)
-- return (-1);
--
-- for ((p = strsep(&cp, "\n")); p && *p != '\0'; (p = strsep(&cp, "\n"))) {
-+ while (getline(&p, &n, fp) >= 0) {
- if (strncmp(p, "HID_ID=", 7) == 0) {
- if (sscanf(p + 7, "%*x:%hx:%hx", &x, &y) == 2) {
- *vendor_id = (int16_t)x;
-@@ -174,50 +172,34 @@ parse_uevent(struct udev_device *dev, int16_t *vendor_id, int16_t *product_id)
- }
- }
-
-- free(s);
--
-+ free(p);
-+ fclose(fp);
- return (ok);
- }
-
- static int
--copy_info(fido_dev_info_t *di, struct udev *udev,
-- struct udev_list_entry *udev_entry)
-+copy_info(fido_dev_info_t *di, const char *name)
- {
-- const char *name;
-- const char *path;
-- const char *manufacturer;
-- const char *product;
-- struct udev_device *dev = NULL;
-- struct udev_device *hid_parent;
-- struct udev_device *usb_parent;
-- int ok = -1;
-+ char path[PATH_MAX];
-+ int r, ok = -1;
-
- memset(di, 0, sizeof(*di));
-
-- if ((name = udev_list_entry_get_name(udev_entry)) == NULL ||
-- (dev = udev_device_new_from_syspath(udev, name)) == NULL ||
-- (path = udev_device_get_devnode(dev)) == NULL ||
-- is_fido(path) == 0)
-+ r = snprintf(path, sizeof(path), "/dev/%s", name);
-+ if (r < 0 || (size_t)r >= sizeof(path))
- goto fail;
--
-- if ((hid_parent = udev_device_get_parent_with_subsystem_devtype(dev,
-- "hid", NULL)) == NULL)
-+ if (is_fido(path) == 0)
- goto fail;
-+ di->path = strdup(path);
-
-- if ((usb_parent = udev_device_get_parent_with_subsystem_devtype(dev,
-- "usb", "usb_device")) == NULL)
-+ r = snprintf(path, sizeof(path), "/sys/class/hidraw/%s/device/uevent", name);
-+ if (r < 0 || (size_t)r >= sizeof(path))
- goto fail;
--
-- if (parse_uevent(hid_parent, &di->vendor_id, &di->product_id) < 0 ||
-- (manufacturer = udev_device_get_sysattr_value(usb_parent,
-- "manufacturer")) == NULL ||
-- (product = udev_device_get_sysattr_value(usb_parent,
-- "product")) == NULL)
-+ if (parse_uevent(path, &di->vendor_id, &di->product_id) < 0)
- goto fail;
-
-- di->path = strdup(path);
-- di->manufacturer = strdup(manufacturer);
-- di->product = strdup(product);
-+ di->manufacturer = strdup("unknown");
-+ di->product = strdup("unknown");
-
- if (di->path == NULL ||
- di->manufacturer == NULL ||
-@@ -226,9 +208,6 @@ copy_info(fido_dev_info_t *di, struct udev *udev,
-
- ok = 0;
- fail:
-- if (dev != NULL)
-- udev_device_unref(dev);
--
- if (ok < 0) {
- free(di->path);
- free(di->manufacturer);
-@@ -239,14 +218,17 @@ fail:
- return (ok);
- }
-
-+static int
-+filter_hidraw(const struct dirent *d)
-+{
-+ return strncmp(d->d_name, "hidraw", 6) == 0;
-+}
-+
- int
- fido_hid_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
- {
-- struct udev *udev = NULL;
-- struct udev_enumerate *udev_enum = NULL;
-- struct udev_list_entry *udev_list;
-- struct udev_list_entry *udev_entry;
-- int r = FIDO_ERR_INTERNAL;
-+ struct dirent **entries;
-+ int i, n, r = FIDO_ERR_INTERNAL;
-
- *olen = 0;
-
-@@ -256,17 +238,11 @@ fido_hid_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
- if (devlist == NULL)
- return (FIDO_ERR_INVALID_ARGUMENT);
-
-- if ((udev = udev_new()) == NULL ||
-- (udev_enum = udev_enumerate_new(udev)) == NULL)
-+ n = scandir("/sys/class/hidraw", &entries, filter_hidraw, alphasort);
-+ if (n == -1)
- goto fail;
--
-- if (udev_enumerate_add_match_subsystem(udev_enum, "hidraw") < 0 ||
-- udev_enumerate_scan_devices(udev_enum) < 0 ||
-- (udev_list = udev_enumerate_get_list_entry(udev_enum)) == NULL)
-- goto fail;
--
-- udev_list_entry_foreach(udev_entry, udev_list) {
-- if (copy_info(&devlist[*olen], udev, udev_entry) == 0) {
-+ for (i = 0; i < n; ++i) {
-+ if (copy_info(&devlist[*olen], entries[i]->d_name) == 0) {
- devlist[*olen].io = (fido_dev_io_t) {
- fido_hid_open,
- fido_hid_close,
-@@ -276,15 +252,14 @@ fido_hid_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
- if (++(*olen) == ilen)
- break;
- }
-+ free(entries[i]);
- }
-+ for (; i < n; ++i)
-+ free(entries[i]);
-+ free(entries);
-
- r = FIDO_OK;
- fail:
-- if (udev_enum != NULL)
-- udev_enumerate_unref(udev_enum);
-- if (udev != NULL)
-- udev_unref(udev);
--
- return (r);
- }
-
---
-2.26.1
-
diff --git a/pkg/libfido2/patch/0002-u2f-Use-nanosleep-instead-of-obsolete-usleep.patch b/pkg/libfido2/patch/0002-u2f-Use-nanosleep-instead-of-obsolete-usleep.patch
@@ -1,83 +0,0 @@
-From 18e294353b75c7f7006c633b000e780bdb89f0f7 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Tue, 26 Nov 2019 13:06:58 -0800
-Subject: [PATCH] u2f: Use nanosleep instead of obsolete usleep
-
-usleep was declared obsolete in POSIX.1-2001 and removed in
-POSIX.1-2008.
----
- src/u2f.c | 28 ++++++++++++++++++----------
- 1 file changed, 18 insertions(+), 10 deletions(-)
-
-diff --git a/src/u2f.c b/src/u2f.c
-index 19a959d..3b01f61 100644
---- a/src/u2f.c
-+++ b/src/u2f.c
-@@ -11,19 +11,27 @@
- #ifdef HAVE_UNISTD_H
- #include <unistd.h>
- #endif
-+#include <time.h>
-
- #include "fido.h"
- #include "fido/es256.h"
-
--#if defined(_MSC_VER)
- static int
--usleep(unsigned int usec)
-+sleep_msec(unsigned int msec)
- {
-- Sleep(usec / 1000);
-+#if defined(_MSC_VER)
-+ Sleep(msec);
-
- return (0);
--}
-+#else
-+ struct timespec ts = {
-+ .tv_sec = msec / 1000,
-+ .tv_nsec = (msec % 1000) * 1000000,
-+ };
-+
-+ return nanosleep(&ts, NULL);
- #endif
-+}
-
- static int
- sig_get(fido_blob_t *sig, const unsigned char **buf, size_t *len)
-@@ -160,8 +168,8 @@ send_dummy_register(fido_dev_t *dev, int ms)
- r = FIDO_ERR_RX;
- goto fail;
- }
-- if (usleep((ms == -1 ? 100 : ms) * 1000) < 0) {
-- fido_log_debug("%s: usleep", __func__);
-+ if (sleep_msec(ms == -1 ? 100 : ms) < 0) {
-+ fido_log_debug("%s: sleep_msec", __func__);
- r = FIDO_ERR_RX;
- goto fail;
- }
-@@ -336,8 +344,8 @@ do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id,
- r = FIDO_ERR_RX;
- goto fail;
- }
-- if (usleep((ms == -1 ? 100 : ms) * 1000) < 0) {
-- fido_log_debug("%s: usleep", __func__);
-+ if (sleep_msec(ms == -1 ? 100 : ms) < 0) {
-+ fido_log_debug("%s: sleep_msec", __func__);
- r = FIDO_ERR_RX;
- goto fail;
- }
-@@ -643,8 +651,8 @@ u2f_register(fido_dev_t *dev, fido_cred_t *cred, int ms)
- r = FIDO_ERR_RX;
- goto fail;
- }
-- if (usleep((ms == -1 ? 100 : ms) * 1000) < 0) {
-- fido_log_debug("%s: usleep", __func__);
-+ if (sleep_msec(ms == -1 ? 100 : ms) < 0) {
-+ fido_log_debug("%s: sleep_msec", __func__);
- r = FIDO_ERR_RX;
- goto fail;
- }
---
-2.26.1
-
diff --git a/pkg/libfido2/patch/0003-io-avoid-use-of-packed-struct.patch b/pkg/libfido2/patch/0003-io-avoid-use-of-packed-struct.patch
@@ -1,257 +0,0 @@
-From 4c52200f4480b8f0491d79df9934918762376d81 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Tue, 26 Nov 2019 18:52:13 -0800
-Subject: [PATCH] io: avoid use of packed struct
-
----
- src/io.c | 143 ++++++++++++++++++++++++++-----------------------------
- 1 file changed, 67 insertions(+), 76 deletions(-)
-
-diff --git a/src/io.c b/src/io.c
-index af2f49a..9e6af3d 100644
---- a/src/io.c
-+++ b/src/io.c
-@@ -9,25 +9,19 @@
- #include <string.h>
-
- #include "fido.h"
--#include "packed.h"
--
--PACKED_TYPE(frame_t,
--struct frame {
-- uint32_t cid; /* channel id */
-- union {
-- uint8_t type;
-- struct {
-- uint8_t cmd;
-- uint8_t bcnth;
-- uint8_t bcntl;
-- uint8_t data[CTAP_RPT_SIZE - 7];
-- } init;
-- struct {
-- uint8_t seq;
-- uint8_t data[CTAP_RPT_SIZE - 5];
-- } cont;
-- } body;
--})
-+
-+/* CTAP section 8.1.4 */
-+enum {
-+ CID,
-+
-+ INIT_CMD = 4,
-+ INIT_BCNTH,
-+ INIT_BCNTL,
-+ INIT_DATA,
-+
-+ CONT_SEQ = 4,
-+ CONT_DATA,
-+};
-
- #ifndef MIN
- #define MIN(x, y) ((x) > (y) ? (y) : (x))
-@@ -36,14 +30,11 @@ struct frame {
- static int
- tx_empty(fido_dev_t *d, uint8_t cmd)
- {
-- struct frame *fp;
-- unsigned char pkt[sizeof(*fp) + 1];
-- int n;
-+ uint8_t pkt[1 + CTAP_RPT_SIZE] = {0};
-+ int n;
-
-- memset(&pkt, 0, sizeof(pkt));
-- fp = (struct frame *)(pkt + 1);
-- fp->cid = d->cid;
-- fp->body.init.cmd = CTAP_FRAME_INIT | cmd;
-+ memcpy(pkt + 1 + CID, &d->cid, 4);
-+ pkt[1 + INIT_CMD] = CTAP_FRAME_INIT | cmd;
-
- n = d->io.write(d->io_handle, pkt, sizeof(pkt));
- if (n < 0 || (size_t)n != sizeof(pkt))
-@@ -55,18 +46,15 @@ tx_empty(fido_dev_t *d, uint8_t cmd)
- static size_t
- tx_preamble(fido_dev_t *d, uint8_t cmd, const void *buf, size_t count)
- {
-- struct frame *fp;
-- unsigned char pkt[sizeof(*fp) + 1];
-- int n;
--
-- memset(&pkt, 0, sizeof(pkt));
-- fp = (struct frame *)(pkt + 1);
-- fp->cid = d->cid;
-- fp->body.init.cmd = CTAP_FRAME_INIT | cmd;
-- fp->body.init.bcnth = (count >> 8) & 0xff;
-- fp->body.init.bcntl = count & 0xff;
-- count = MIN(count, sizeof(fp->body.init.data));
-- memcpy(&fp->body.init.data, buf, count);
-+ uint8_t pkt[1 + CTAP_RPT_SIZE] = {0};
-+ int n;
-+
-+ memcpy(pkt + 1 + CID, &d->cid, 4);
-+ pkt[1 + INIT_CMD] = CTAP_FRAME_INIT | cmd;
-+ pkt[1 + INIT_BCNTH] = (count >> 8) & 0xff;
-+ pkt[1 + INIT_BCNTL] = count & 0xff;
-+ count = MIN(count, CTAP_RPT_SIZE - INIT_DATA);
-+ memcpy(pkt + 1 + INIT_DATA, buf, count);
-
- n = d->io.write(d->io_handle, pkt, sizeof(pkt));
- if (n < 0 || (size_t)n != sizeof(pkt))
-@@ -78,16 +66,13 @@ tx_preamble(fido_dev_t *d, uint8_t cmd, const void *buf, size_t count)
- static size_t
- tx_frame(fido_dev_t *d, uint8_t seq, const void *buf, size_t count)
- {
-- struct frame *fp;
-- unsigned char pkt[sizeof(*fp) + 1];
-- int n;
-+ uint8_t pkt[1 + CTAP_RPT_SIZE] = {0};
-+ int n;
-
-- memset(&pkt, 0, sizeof(pkt));
-- fp = (struct frame *)(pkt + 1);
-- fp->cid = d->cid;
-- fp->body.cont.seq = seq;
-- count = MIN(count, sizeof(fp->body.cont.data));
-- memcpy(&fp->body.cont.data, buf, count);
-+ memcpy(pkt + 1 + CID, &d->cid, 4);
-+ pkt[1 + CONT_SEQ] = seq;
-+ count = MIN(count, CTAP_RPT_SIZE - CONT_DATA);
-+ memcpy(pkt + 1 + CONT_DATA, buf, count);
-
- n = d->io.write(d->io_handle, pkt, sizeof(pkt));
- if (n < 0 || (size_t)n != sizeof(pkt))
-@@ -142,39 +127,42 @@ fido_tx(fido_dev_t *d, uint8_t cmd, const void *buf, size_t count)
- }
-
- static int
--rx_frame(fido_dev_t *d, struct frame *fp, int ms)
-+rx_frame(fido_dev_t *d, uint8_t *fp, int ms)
- {
- int n;
-
-- n = d->io.read(d->io_handle, (unsigned char *)fp, sizeof(*fp), ms);
-- if (n < 0 || (size_t)n != sizeof(*fp))
-+ n = d->io.read(d->io_handle, (unsigned char *)fp, CTAP_RPT_SIZE, ms);
-+ if (n < 0 || (size_t)n != CTAP_RPT_SIZE)
- return (-1);
-
- return (0);
- }
-
- static int
--rx_preamble(fido_dev_t *d, uint8_t cmd, struct frame *fp, int ms)
-+rx_preamble(fido_dev_t *d, uint8_t cmd, uint8_t *fp, int ms)
- {
-+ uint32_t cid;
-+
- do {
- if (rx_frame(d, fp, ms) < 0)
- return (-1);
-+ memcpy(&cid, &fp[CID], 4);
- #ifdef FIDO_FUZZ
-- fp->cid = d->cid;
-+ cid = d->cid;
- #endif
-- } while (fp->cid == d->cid &&
-- fp->body.init.cmd == (CTAP_FRAME_INIT | CTAP_KEEPALIVE));
-+ } while (cid == d->cid &&
-+ fp[INIT_CMD] == (CTAP_FRAME_INIT | CTAP_KEEPALIVE));
-
- fido_log_debug("%s: initiation frame at %p", __func__, (void *)fp);
-- fido_log_xxd(fp, sizeof(*fp));
-+ fido_log_xxd(fp, CTAP_RPT_SIZE);
-
- #ifdef FIDO_FUZZ
-- fp->body.init.cmd = (CTAP_FRAME_INIT | cmd);
-+ fp[INIT_CMD] = (CTAP_FRAME_INIT | cmd);
- #endif
-
-- if (fp->cid != d->cid || fp->body.init.cmd != (CTAP_FRAME_INIT | cmd)) {
-+ if (cid != d->cid || fp[INIT_CMD] != (CTAP_FRAME_INIT | cmd)) {
- fido_log_debug("%s: cid (0x%x, 0x%x), cmd (0x%02x, 0x%02x)",
-- __func__, fp->cid, d->cid, fp->body.init.cmd, cmd);
-+ __func__, cid, d->cid, fp[INIT_CMD], cmd);
- return (-1);
- }
-
-@@ -184,15 +172,16 @@ rx_preamble(fido_dev_t *d, uint8_t cmd, struct frame *fp, int ms)
- static int
- rx(fido_dev_t *d, uint8_t cmd, unsigned char *buf, size_t count, int ms)
- {
-- struct frame f;
-- uint16_t r, payload_len;
-+ uint8_t f[CTAP_RPT_SIZE];
-+ uint32_t cid;
-+ uint16_t r, payload_len;
-
-- if (rx_preamble(d, cmd, &f, ms) < 0) {
-+ if (rx_preamble(d, cmd, f, ms) < 0) {
- fido_log_debug("%s: rx_preamble", __func__);
- return (-1);
- }
-
-- payload_len = (f.body.init.bcnth << 8) | f.body.init.bcntl;
-+ payload_len = (f[INIT_BCNTH] << 8) | f[INIT_BCNTL];
- fido_log_debug("%s: payload_len=%zu", __func__, (size_t)payload_len);
-
- if (count < (size_t)payload_len) {
-@@ -200,16 +189,16 @@ rx(fido_dev_t *d, uint8_t cmd, unsigned char *buf, size_t count, int ms)
- return (-1);
- }
-
-- if (payload_len < sizeof(f.body.init.data)) {
-- memcpy(buf, f.body.init.data, payload_len);
-+ if (payload_len < CTAP_RPT_SIZE - INIT_DATA) {
-+ memcpy(buf, f + INIT_DATA, payload_len);
- return (payload_len);
- }
-
-- memcpy(buf, f.body.init.data, sizeof(f.body.init.data));
-- r = sizeof(f.body.init.data);
-+ memcpy(buf, f + INIT_DATA, CTAP_RPT_SIZE - INIT_DATA);
-+ r = CTAP_RPT_SIZE - INIT_DATA;
-
- for (int seq = 0; (size_t)r < payload_len; seq++) {
-- if (rx_frame(d, &f, ms) < 0) {
-+ if (rx_frame(d, f, ms) < 0) {
- fido_log_debug("%s: rx_frame", __func__);
- return (-1);
- }
-@@ -218,23 +207,25 @@ rx(fido_dev_t *d, uint8_t cmd, unsigned char *buf, size_t count, int ms)
- (void *)&f);
- fido_log_xxd(&f, sizeof(f));
-
-+ memcpy(&cid, f + CID, 4);
-+
- #ifdef FIDO_FUZZ
-- f.cid = d->cid;
-- f.body.cont.seq = seq;
-+ cid = d->cid;
-+ f[CONT_SEQ] = seq;
- #endif
-
-- if (f.cid != d->cid || f.body.cont.seq != seq) {
-+ if (cid != d->cid || f[CONT_SEQ] != seq) {
- fido_log_debug("%s: cid (0x%x, 0x%x), seq (%d, %d)",
-- __func__, f.cid, d->cid, f.body.cont.seq, seq);
-+ __func__, cid, d->cid, f[CONT_SEQ], seq);
- return (-1);
- }
-
-- if ((size_t)(payload_len - r) > sizeof(f.body.cont.data)) {
-- memcpy(buf + r, f.body.cont.data,
-- sizeof(f.body.cont.data));
-- r += sizeof(f.body.cont.data);
-+ if ((size_t)(payload_len - r) > CTAP_RPT_SIZE - CONT_DATA) {
-+ memcpy(buf + r, f + CONT_DATA,
-+ CTAP_RPT_SIZE - CONT_DATA);
-+ r += CTAP_RPT_SIZE - CONT_DATA;
- } else {
-- memcpy(buf + r, f.body.cont.data, payload_len - r);
-+ memcpy(buf + r, f + CONT_DATA, payload_len - r);
- r += (payload_len - r); /* break */
- }
- }
---
-2.26.1
-
diff --git a/pkg/libfido2/patch/0004-iso7816-avoid-use-of-packed-struct.patch b/pkg/libfido2/patch/0004-iso7816-avoid-use-of-packed-struct.patch
@@ -1,145 +0,0 @@
-From f820cce15621fba6b77daf4c2e1cf3f8bae0a44a Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Tue, 26 Nov 2019 18:58:05 -0800
-Subject: [PATCH] iso7816: avoid use of packed struct
-
----
- src/iso7816.c | 50 ++++++++++++++++++++++++++++++++------------------
- src/iso7816.h | 22 +---------------------
- 2 files changed, 33 insertions(+), 39 deletions(-)
-
-diff --git a/src/iso7816.c b/src/iso7816.c
-index a3fd280..4792443 100644
---- a/src/iso7816.c
-+++ b/src/iso7816.c
-@@ -7,24 +7,40 @@
- #include <string.h>
- #include "fido.h"
-
-+struct iso7816_apdu {
-+ size_t max_len;
-+ size_t len;
-+ uint8_t buf[];
-+};
-+
-+enum {
-+ CLA,
-+ INS,
-+ P1,
-+ P2,
-+ LC1,
-+ LC2,
-+ LC3,
-+ DATA,
-+};
-+
- iso7816_apdu_t *
- iso7816_new(uint8_t ins, uint8_t p1, uint16_t payload_len)
- {
- iso7816_apdu_t *apdu;
-- size_t alloc_len;
-+ size_t max_len;
-
-- alloc_len = sizeof(iso7816_apdu_t) + payload_len + 2; /* le1 le2 */
-+ max_len = DATA + payload_len + 2; /* le1 le2 */
-
-- if ((apdu = calloc(1, alloc_len)) == NULL)
-+ if ((apdu = calloc(1, sizeof(*apdu) + max_len)) == NULL)
- return (NULL);
-
-- apdu->alloc_len = alloc_len;
-- apdu->payload_len = payload_len;
-- apdu->payload_ptr = apdu->payload;
-- apdu->header.ins = ins;
-- apdu->header.p1 = p1;
-- apdu->header.lc2 = (payload_len >> 8) & 0xff;
-- apdu->header.lc3 = payload_len & 0xff;
-+ apdu->max_len = max_len;
-+ apdu->buf[INS] = ins;
-+ apdu->buf[P1] = p1;
-+ apdu->buf[LC2] = (payload_len >> 8) & 0xff;
-+ apdu->buf[LC3] = payload_len & 0xff;
-+ apdu->len = DATA;
-
- return (apdu);
- }
-@@ -37,7 +53,7 @@ iso7816_free(iso7816_apdu_t **apdu_p)
- if (apdu_p == NULL || (apdu = *apdu_p) == NULL)
- return;
-
-- explicit_bzero(apdu, apdu->alloc_len);
-+ explicit_bzero(apdu, sizeof(*apdu) + apdu->max_len);
- free(apdu);
-
- *apdu_p = NULL;
-@@ -46,12 +62,11 @@ iso7816_free(iso7816_apdu_t **apdu_p)
- int
- iso7816_add(iso7816_apdu_t *apdu, const void *buf, size_t cnt)
- {
-- if (cnt > apdu->payload_len || cnt > UINT16_MAX)
-+ if (cnt > apdu->max_len - apdu->len)
- return (-1);
-
-- memcpy(apdu->payload_ptr, buf, cnt);
-- apdu->payload_ptr += cnt;
-- apdu->payload_len -= (uint16_t)cnt;
-+ memcpy(apdu->buf + apdu->len, buf, cnt);
-+ apdu->len += cnt;
-
- return (0);
- }
-@@ -59,12 +74,11 @@ iso7816_add(iso7816_apdu_t *apdu, const void *buf, size_t cnt)
- const unsigned char *
- iso7816_ptr(const iso7816_apdu_t *apdu)
- {
-- return ((const unsigned char *)&apdu->header);
-+ return ((const unsigned char *)&apdu->buf);
- }
-
- size_t
- iso7816_len(const iso7816_apdu_t *apdu)
- {
-- return (apdu->alloc_len - sizeof(apdu->alloc_len) -
-- sizeof(apdu->payload_len) - sizeof(apdu->payload_ptr));
-+ return (apdu->len);
- }
-diff --git a/src/iso7816.h b/src/iso7816.h
-index 563243f..6c4a263 100644
---- a/src/iso7816.h
-+++ b/src/iso7816.h
-@@ -10,31 +10,11 @@
- #include <stdint.h>
- #include <stdlib.h>
-
--#include "packed.h"
--
- #ifdef __cplusplus
- extern "C" {
- #endif /* __cplusplus */
-
--PACKED_TYPE(iso7816_header_t,
--struct iso7816_header {
-- uint8_t cla;
-- uint8_t ins;
-- uint8_t p1;
-- uint8_t p2;
-- uint8_t lc1;
-- uint8_t lc2;
-- uint8_t lc3;
--})
--
--PACKED_TYPE(iso7816_apdu_t,
--struct iso7816_apdu {
-- size_t alloc_len;
-- uint16_t payload_len;
-- uint8_t *payload_ptr;
-- iso7816_header_t header;
-- uint8_t payload[];
--})
-+typedef struct iso7816_apdu iso7816_apdu_t;
-
- const unsigned char *iso7816_ptr(const iso7816_apdu_t *);
- int iso7816_add(iso7816_apdu_t *, const void *, size_t);
---
-2.26.1
-
diff --git a/pkg/libfido2/patch/0005-dev-avoid-use-of-packed-struct.patch b/pkg/libfido2/patch/0005-dev-avoid-use-of-packed-struct.patch
@@ -1,75 +0,0 @@
-From 99d08a98c903a38ce4ca2f689feb871c1ef01a26 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Tue, 26 Nov 2019 19:02:46 -0800
-Subject: [PATCH] dev: avoid use of packed struct
-
----
- src/dev.c | 15 ++++++++++++---
- src/fido/types.h | 5 ++---
- 2 files changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/src/dev.c b/src/dev.c
-index 51b9935..6049cc6 100644
---- a/src/dev.c
-+++ b/src/dev.c
-@@ -145,21 +145,30 @@ static int
- fido_dev_open_rx(fido_dev_t *dev, int ms)
- {
- fido_cbor_info_t *info = NULL;
-+ uint8_t data[17];
- int reply_len;
- int r;
-
-- if ((reply_len = fido_rx(dev, CTAP_CMD_INIT, &dev->attr,
-- sizeof(dev->attr), ms)) < 0) {
-+ if ((reply_len = fido_rx(dev, CTAP_CMD_INIT, data,
-+ sizeof(data), ms)) < 0) {
- fido_log_debug("%s: fido_rx", __func__);
- r = FIDO_ERR_RX;
- goto fail;
- }
-
-+ memcpy(&dev->attr.nonce, &data[0], 8);
-+ memcpy(&dev->attr.cid, &data[8], 4);
-+ dev->attr.protocol = data[12];
-+ dev->attr.major = data[13];
-+ dev->attr.minor = data[14];
-+ dev->attr.build = data[15];
-+ dev->attr.flags = data[16];
-+
- #ifdef FIDO_FUZZ
- dev->attr.nonce = dev->nonce;
- #endif
-
-- if ((size_t)reply_len != sizeof(dev->attr) ||
-+ if ((size_t)reply_len != sizeof(data) ||
- dev->attr.nonce != dev->nonce) {
- fido_log_debug("%s: invalid nonce", __func__);
- r = FIDO_ERR_RX;
-diff --git a/src/fido/types.h b/src/fido/types.h
-index 5df5e36..a8ce2ec 100644
---- a/src/fido/types.h
-+++ b/src/fido/types.h
-@@ -194,9 +194,8 @@ typedef struct fido_dev_info {
- fido_dev_transport_t transport; /* transport functions */
- } fido_dev_info_t;
-
--PACKED_TYPE(fido_ctap_info_t,
- /* defined in section 8.1.9.1.3 (CTAPHID_INIT) of the fido2 ctap spec */
--struct fido_ctap_info {
-+typedef struct fido_ctap_info {
- uint64_t nonce; /* echoed nonce */
- uint32_t cid; /* channel id */
- uint8_t protocol; /* ctaphid protocol id */
-@@ -204,7 +203,7 @@ struct fido_ctap_info {
- uint8_t minor; /* minor version number */
- uint8_t build; /* build version number */
- uint8_t flags; /* capabilities flags; see FIDO_CAP_* */
--})
-+} fido_ctap_info_t;
-
- typedef struct fido_dev {
- uint64_t nonce; /* issued nonce */
---
-2.26.1
-
diff --git a/pkg/libfido2/patch/0006-cbor-u2f-avoid-use-of-packed-struct.patch b/pkg/libfido2/patch/0006-cbor-u2f-avoid-use-of-packed-struct.patch
@@ -1,201 +0,0 @@
-From 1cb2420a26924ea4b4a5b525a78cdd06e4f9e4fa Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Tue, 26 Nov 2019 19:30:10 -0800
-Subject: [PATCH] cbor, u2f: avoid use of packed struct
-
----
- src/cbor.c | 14 ++++++++--
- src/fido/types.h | 13 ++-------
- src/u2f.c | 70 +++++++++++++++++++++++++++++++++---------------
- 3 files changed, 62 insertions(+), 35 deletions(-)
-
-diff --git a/src/cbor.c b/src/cbor.c
-index 3928325..2b3c150 100644
---- a/src/cbor.c
-+++ b/src/cbor.c
-@@ -1278,7 +1278,12 @@ cbor_decode_cred_authdata(const cbor_item_t *item, int cose_alg,
- fido_log_debug("%s: buf=%p, len=%zu", __func__, (const void *)buf, len);
- fido_log_xxd(buf, len);
-
-- if (fido_buf_read(&buf, &len, authdata, sizeof(*authdata)) < 0) {
-+ if (fido_buf_read(&buf, &len, authdata->rp_id_hash,
-+ sizeof(authdata->rp_id_hash)) < 0 ||
-+ fido_buf_read(&buf, &len, &authdata->flags,
-+ sizeof(authdata->flags)) < 0 ||
-+ fido_buf_read(&buf, &len, &authdata->sigcount,
-+ sizeof(authdata->sigcount)) < 0) {
- fido_log_debug("%s: fido_buf_read", __func__);
- return (-1);
- }
-@@ -1328,7 +1333,12 @@ cbor_decode_assert_authdata(const cbor_item_t *item, fido_blob_t *authdata_cbor,
-
- fido_log_debug("%s: buf=%p, len=%zu", __func__, (const void *)buf, len);
-
-- if (fido_buf_read(&buf, &len, authdata, sizeof(*authdata)) < 0) {
-+ if (fido_buf_read(&buf, &len, authdata->rp_id_hash,
-+ sizeof(authdata->rp_id_hash)) < 0 ||
-+ fido_buf_read(&buf, &len, &authdata->flags,
-+ sizeof(authdata->flags)) < 0 ||
-+ fido_buf_read(&buf, &len, &authdata->sigcount,
-+ sizeof(authdata->sigcount)) < 0) {
- fido_log_debug("%s: fido_buf_read", __func__);
- return (-1);
- }
-diff --git a/src/fido/types.h b/src/fido/types.h
-index a8ce2ec..814f22c 100644
---- a/src/fido/types.h
-+++ b/src/fido/types.h
-@@ -44,7 +44,6 @@ typedef enum {
- typedef void fido_log_handler_t(const char *);
-
- #ifdef _FIDO_INTERNAL
--#include "packed.h"
- #include "blob.h"
-
- /* COSE ES256 (ECDSA over P-256 with SHA-256) public key */
-@@ -69,20 +68,12 @@ typedef struct eddsa_pk {
- unsigned char x[32];
- } eddsa_pk_t;
-
--PACKED_TYPE(fido_authdata_t,
--struct fido_authdata {
-+typedef struct fido_authdata {
- unsigned char rp_id_hash[32]; /* sha256 of fido_rp.id */
- uint8_t flags; /* user present/verified */
- uint32_t sigcount; /* signature counter */
- /* actually longer */
--})
--
--PACKED_TYPE(fido_attcred_raw_t,
--struct fido_attcred_raw {
-- unsigned char aaguid[16]; /* credential's aaguid */
-- uint16_t id_len; /* credential id length */
-- uint8_t body[]; /* credential id + pubkey */
--})
-+} fido_authdata_t;
-
- typedef struct fido_attcred {
- unsigned char aaguid[16]; /* credential's aaguid */
-diff --git a/src/u2f.c b/src/u2f.c
-index 3b01f61..848d2fb 100644
---- a/src/u2f.c
-+++ b/src/u2f.c
-@@ -16,6 +16,29 @@
- #include "fido.h"
- #include "fido/es256.h"
-
-+/*
-+ * Web Authentication section 6.1
-+ * https://www.w3.org/TR/webauthn/#authenticator-data
-+ */
-+enum {
-+ AUTHDATA_RP_ID_HASH = 0,
-+ AUTHDATA_FLAGS = 32,
-+ AUTHDATA_SIGN_COUNT = 33,
-+
-+ AUTHDATA_BASE_SIZE = 37
-+};
-+
-+/*
-+ * Web Authentication section 6.4.1
-+ * https://www.w3.org/TR/webauthn/#sec-attested-credential-data
-+ */
-+enum {
-+ ATTCRED_AAGUID = 0,
-+ ATTCRED_CREDENTIAL_ID_LENGTH = 16,
-+
-+ ATTCRED_BASE_SIZE = 18
-+};
-+
- static int
- sleep_msec(unsigned int msec)
- {
-@@ -96,23 +119,24 @@ static int
- authdata_fake(const char *rp_id, uint8_t flags, uint32_t sigcount,
- fido_blob_t *fake_cbor_ad)
- {
-- fido_authdata_t ad;
-+ uint8_t authdata[AUTHDATA_BASE_SIZE] = {0};
-+ unsigned char *rp_id_hash;
- cbor_item_t *item = NULL;
- size_t alloc_len;
-
-- memset(&ad, 0, sizeof(ad));
-+ rp_id_hash = (unsigned char *)&authdata[AUTHDATA_RP_ID_HASH];
-
- if (SHA256((const void *)rp_id, strlen(rp_id),
-- ad.rp_id_hash) != ad.rp_id_hash) {
-+ rp_id_hash) != rp_id_hash) {
- fido_log_debug("%s: sha256", __func__);
- return (-1);
- }
-
-- ad.flags = flags; /* XXX translate? */
-- ad.sigcount = sigcount;
-+ authdata[AUTHDATA_FLAGS] = flags; /* XXX translate? */
-+ memcpy(&authdata[AUTHDATA_SIGN_COUNT], &sigcount, 4);
-
-- if ((item = cbor_build_bytestring((const unsigned char *)&ad,
-- sizeof(ad))) == NULL) {
-+ if ((item = cbor_build_bytestring((cbor_data)authdata,
-+ sizeof(authdata))) == NULL) {
- fido_log_debug("%s: cbor_build_bytestring", __func__);
- return (-1);
- }
-@@ -410,18 +434,18 @@ static int
- encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len,
- const uint8_t *pubkey, size_t pubkey_len, fido_blob_t *out)
- {
-- fido_authdata_t authdata;
-- fido_attcred_raw_t attcred_raw;
-- fido_blob_t pk_blob;
-- fido_blob_t authdata_blob;
-- cbor_item_t *authdata_cbor = NULL;
-- unsigned char *ptr;
-- size_t len;
-- size_t alloc_len;
-- int ok = -1;
-+ uint8_t authdata[AUTHDATA_BASE_SIZE] = {0};
-+ unsigned char *rp_id_hash;
-+ uint8_t attcred_raw[ATTCRED_BASE_SIZE] = {0};
-+ fido_blob_t pk_blob;
-+ fido_blob_t authdata_blob;
-+ cbor_item_t *authdata_cbor = NULL;
-+ unsigned char *ptr;
-+ size_t len;
-+ size_t alloc_len;
-+ int ok = -1;
-
- memset(&pk_blob, 0, sizeof(pk_blob));
-- memset(&authdata, 0, sizeof(authdata));
- memset(&authdata_blob, 0, sizeof(authdata_blob));
- memset(out, 0, sizeof(*out));
-
-@@ -435,17 +459,19 @@ encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len,
- goto fail;
- }
-
-+ rp_id_hash = (unsigned char *)&authdata[AUTHDATA_RP_ID_HASH];
-+
- if (SHA256((const void *)rp_id, strlen(rp_id),
-- authdata.rp_id_hash) != authdata.rp_id_hash) {
-+ rp_id_hash) != rp_id_hash) {
- fido_log_debug("%s: sha256", __func__);
- goto fail;
- }
-
-- authdata.flags = (CTAP_AUTHDATA_ATT_CRED | CTAP_AUTHDATA_USER_PRESENT);
-- authdata.sigcount = 0;
-+ authdata[AUTHDATA_FLAGS] = (CTAP_AUTHDATA_ATT_CRED |
-+ CTAP_AUTHDATA_USER_PRESENT);
-
-- memset(&attcred_raw.aaguid, 0, sizeof(attcred_raw.aaguid));
-- attcred_raw.id_len = htobe16(kh_len);
-+ /* big-endian, so second byte is LSB */
-+ attcred_raw[ATTCRED_CREDENTIAL_ID_LENGTH + 1] = kh_len;
-
- len = authdata_blob.len = sizeof(authdata) + sizeof(attcred_raw) +
- kh_len + pk_blob.len;
---
-2.26.1
-
diff --git a/pkg/libfido2/patch/0007-remove-unused-packed.h.patch b/pkg/libfido2/patch/0007-remove-unused-packed.h.patch
@@ -1,41 +0,0 @@
-From 5240c76168f9de8683673892e61dea548eda584e Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Tue, 26 Nov 2019 19:30:28 -0800
-Subject: [PATCH] remove unused packed.h
-
----
- src/packed.h | 22 ----------------------
- 1 file changed, 22 deletions(-)
- delete mode 100644 src/packed.h
-
-diff --git a/src/packed.h b/src/packed.h
-deleted file mode 100644
-index 3857c22..0000000
---- a/src/packed.h
-+++ /dev/null
-@@ -1,22 +0,0 @@
--/*
-- * Copyright (c) 2018 Yubico AB. All rights reserved.
-- * Use of this source code is governed by a BSD-style
-- * license that can be found in the LICENSE file.
-- */
--
--#ifndef _PACKED_H
--#define _PACKED_H
--
--#if defined(__GNUC__)
--#define PACKED_TYPE(type, def) \
-- typedef def __attribute__ ((__packed__)) type;
--#elif defined(_MSC_VER)
--#define PACKED_TYPE(type, def) \
-- __pragma(pack(push, 1)) \
-- typedef def type; \
-- __pragma(pack(pop))
--#else
--#error "please provide a way to define packed types on your platform"
--#endif
--
--#endif /* !_PACKED_H */
---
-2.24.0
-
diff --git a/pkg/libfido2/patch/0008-port-to-BearSSL.patch b/pkg/libfido2/patch/0008-port-to-BearSSL.patch
@@ -1,1803 +0,0 @@
-From 6d0970678ad7ea140dc895722714ea9851017e0b Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Mon, 18 Nov 2019 23:46:22 -0800
-Subject: [PATCH] port to BearSSL
-
----
- CMakeLists.txt | 42 +++----
- src/CMakeLists.txt | 4 +-
- src/aes256.c | 61 +++++------
- src/assert.c | 135 ++++++++---------------
- src/cbor.c | 98 ++++++-----------
- src/cred.c | 81 ++++++--------
- src/credman.c | 16 +--
- src/ecdh.c | 55 +++-------
- src/eddsa.c | 92 ----------------
- src/es256.c | 268 +++++++--------------------------------------
- src/fido.h | 3 -
- src/fido/eddsa.h | 22 ----
- src/fido/es256.h | 5 -
- src/fido/rs256.h | 4 -
- src/rs256.c | 117 +-------------------
- src/u2f.c | 109 +++++++++---------
- 16 files changed, 280 insertions(+), 832 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 5262ca8..67da04e 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -52,13 +52,13 @@ endif()
-
- if(MSVC)
- if((NOT CBOR_INCLUDE_DIRS) OR (NOT CBOR_LIBRARY_DIRS) OR
-- (NOT CRYPTO_INCLUDE_DIRS) OR (NOT CRYPTO_LIBRARY_DIRS))
-+ (NOT BEARSSL_INCLUDE_DIRS) OR (NOT BEARSSL_LIBRARY_DIRS))
- message(FATAL_ERROR "please provide definitions for "
-- "{CBOR,CRYPTO}_{INCLUDE,LIBRARY}_DIRS when building "
-+ "{CBOR,BEARSSL}_{INCLUDE,LIBRARY}_DIRS when building "
- "under msvc")
- endif()
- set(CBOR_LIBRARIES cbor)
-- set(CRYPTO_LIBRARIES crypto-45)
-+ set(BEARSSL_LIBRARIES bearssl)
- set(MSVC_DISABLED_WARNINGS_LIST
- "C4200" # nonstandard extension used: zero-sized array in
- # struct/union;
-@@ -79,24 +79,20 @@ if(MSVC)
- else()
- include(FindPkgConfig)
- pkg_search_module(CBOR libcbor)
-- pkg_search_module(CRYPTO libcrypto)
-
-- # XXX workaround libcbor's missing .pc file
-- if(NOT CBOR_FOUND)
-- check_include_files(cbor.h HAVE_CBOR_H)
-- if(NOT HAVE_CBOR_H)
-- message(FATAL_ERROR "could not find cbor header files")
-- endif()
-- set(CBOR_LIBRARIES "cbor")
-+ find_library(BEARSSL_LIBRARIES bearssl)
-+ find_path(BEARSSL_INCLUDE_DIRS bearssl.h)
-+ if(NOT BEARSSL_LIBRARIES OR NOT BEARSSL_INCLUDE_DIRS)
-+ message(FATAL_ERROR "could not find BearSSL")
- endif()
-
-- # XXX workaround libcrypto's missing .pc file
-- if(NOT CRYPTO_FOUND)
-- check_include_files(openssl/opensslv.h HAVE_OPENSSLV_H)
-- if(NOT HAVE_OPENSSLV_H)
-- message(FATAL_ERROR "could not find crypto header files")
-+ # XXX workaround libcbor's missing .pc file
-+ if(NOT CBOR_FOUND)
-+ find_library(CBOR_LIBRARIES cbor)
-+ find_path(CBOR_INCLUDE_DIRS cbor.h)
-+ if(NOT CBOR_LIBRARIES OR NOT CBOR_INCLUDE_DIRS)
-+ message(FATAL_ERROR "could not find libcbor")
- endif()
-- set(CRYPTO_LIBRARIES "crypto")
- endif()
-
- if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
-@@ -369,10 +365,9 @@ endif()
-
- include_directories(${CMAKE_SOURCE_DIR}/src)
- include_directories(${CBOR_INCLUDE_DIRS})
--include_directories(${CRYPTO_INCLUDE_DIRS})
-+include_directories(${BEARSSL_INCLUDE_DIRS})
-
- link_directories(${CBOR_LIBRARY_DIRS})
--link_directories(${CRYPTO_LIBRARY_DIRS})
-
- message(STATUS "CMAKE_C_COMPILER: ${CMAKE_C_COMPILER}")
- message(STATUS "CMAKE_C_COMPILER_ID: ${CMAKE_C_COMPILER_ID}")
-@@ -382,9 +377,8 @@ message(STATUS "CMAKE_BUILD_TYPE: ${CMAKE_BUILD_TYPE}")
- message(STATUS "CBOR_INCLUDE_DIRS: ${CBOR_INCLUDE_DIRS}")
- message(STATUS "CBOR_LIBRARY_DIRS: ${CBOR_LIBRARY_DIRS}")
- message(STATUS "CBOR_LIBRARIES: ${CBOR_LIBRARIES}")
--message(STATUS "CRYPTO_INCLUDE_DIRS: ${CRYPTO_INCLUDE_DIRS}")
--message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}")
--message(STATUS "CRYPTO_LIBRARIES: ${CRYPTO_LIBRARIES}")
-+message(STATUS "BEARSSL_INCLUDE_DIRS: ${BEARSSL_INCLUDE_DIRS}")
-+message(STATUS "BEARSSL_LIBRARIES: ${BEARSSL_LIBRARIES}")
- message(STATUS "BASE_LIBRARIES: ${BASE_LIBRARIES}")
- message(STATUS "HIDAPI_LIBRARIES: ${HIDAPI_LIBRARIES}")
- message(STATUS "VERSION: ${FIDO_VERSION}")
-@@ -407,8 +401,8 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
- endif()
-
- subdirs(src)
--subdirs(examples)
--subdirs(tools)
-+#subdirs(examples)
-+#subdirs(tools)
- subdirs(man)
-
- if(NOT WIN32)
-diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index 3cf62e8..1d66728 100644
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -61,7 +61,7 @@ list(APPEND COMPAT_SOURCES
-
- # static library
- add_library(fido2 STATIC ${FIDO_SOURCES} ${COMPAT_SOURCES})
--target_link_libraries(fido2 ${CBOR_LIBRARIES} ${CRYPTO_LIBRARIES}
-+target_link_libraries(fido2 ${CBOR_LIBRARIES} ${BEARSSL_LIBRARIES}
- ${UDEV_LIBRARIES} ${BASE_LIBRARIES} ${HIDAPI_LIBRARIES})
- if(WIN32)
- if (MINGW)
-@@ -79,7 +79,7 @@ install(TARGETS fido2 ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
-
- # dynamic library
- add_library(fido2_shared SHARED ${FIDO_SOURCES} ${COMPAT_SOURCES})
--target_link_libraries(fido2_shared ${CBOR_LIBRARIES} ${CRYPTO_LIBRARIES}
-+target_link_libraries(fido2_shared ${CBOR_LIBRARIES} ${BEARSSL_LIBRARIES}
- ${UDEV_LIBRARIES} ${BASE_LIBRARIES} ${HIDAPI_LIBRARIES})
- if(WIN32)
- if (MINGW)
-diff --git a/src/aes256.c b/src/aes256.c
-index 767cdb2..baacc0a 100644
---- a/src/aes256.c
-+++ b/src/aes256.c
-@@ -4,7 +4,8 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/evp.h>
-+#include <bearssl.h>
-+
- #include <string.h>
-
- #include "fido.h"
-@@ -12,38 +13,33 @@
- int
- aes256_cbc_enc(const fido_blob_t *key, const fido_blob_t *in, fido_blob_t *out)
- {
-- EVP_CIPHER_CTX *ctx = NULL;
-- unsigned char iv[32];
-- int len;
-- int ok = -1;
-+ br_aes_ct64_cbcenc_keys ctx;
-+ unsigned char iv[32];
-+ int ok = -1;
-
- memset(iv, 0, sizeof(iv));
- out->ptr = NULL;
- out->len = 0;
-
- /* sanity check */
-- if (in->len > INT_MAX || (in->len % 16) != 0 ||
-- (out->ptr = calloc(1, in->len)) == NULL) {
-+ if ((in->len % 16) != 0 || (out->ptr = calloc(1, in->len)) == NULL) {
- fido_log_debug("%s: in->len=%zu", __func__, in->len);
- goto fail;
- }
--
-- if ((ctx = EVP_CIPHER_CTX_new()) == NULL || key->len != 32 ||
-- !EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key->ptr, iv) ||
-- !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
-- !EVP_EncryptUpdate(ctx, out->ptr, &len, in->ptr, (int)in->len) ||
-- len < 0 || (size_t)len != in->len) {
-- fido_log_debug("%s: EVP_Encrypt", __func__);
-+ if (key->len != 32) {
-+ fido_log_debug("%s: key->len=%zu", __func__, key->len);
- goto fail;
- }
-
-- out->len = (size_t)len;
-+ memcpy(out->ptr, in->ptr, in->len);
-+ br_aes_ct64_cbcenc_init(&ctx, key->ptr, key->len);
-+ br_aes_ct64_cbcenc_run(&ctx, iv, out->ptr, out->len);
-+ explicit_bzero(&ctx, sizeof(ctx));
-+
-+ out->len = in->len;
-
- ok = 0;
- fail:
-- if (ctx != NULL)
-- EVP_CIPHER_CTX_free(ctx);
--
- if (ok < 0) {
- free(out->ptr);
- out->ptr = NULL;
-@@ -56,38 +52,33 @@ fail:
- int
- aes256_cbc_dec(const fido_blob_t *key, const fido_blob_t *in, fido_blob_t *out)
- {
-- EVP_CIPHER_CTX *ctx = NULL;
-- unsigned char iv[32];
-- int len;
-- int ok = -1;
-+ br_aes_ct64_cbcdec_keys ctx;
-+ unsigned char iv[32];
-+ int ok = -1;
-
- memset(iv, 0, sizeof(iv));
- out->ptr = NULL;
- out->len = 0;
-
- /* sanity check */
-- if (in->len > INT_MAX || (in->len % 16) != 0 ||
-- (out->ptr = calloc(1, in->len)) == NULL) {
-+ if ((in->len % 16) != 0 || (out->ptr = calloc(1, in->len)) == NULL) {
- fido_log_debug("%s: in->len=%zu", __func__, in->len);
- goto fail;
- }
--
-- if ((ctx = EVP_CIPHER_CTX_new()) == NULL || key->len != 32 ||
-- !EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key->ptr, iv) ||
-- !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
-- !EVP_DecryptUpdate(ctx, out->ptr, &len, in->ptr, (int)in->len) ||
-- len < 0 || (size_t)len > in->len + 32) {
-- fido_log_debug("%s: EVP_Decrypt", __func__);
-+ if (key->len != 32) {
-+ fido_log_debug("%s: key->len=%zu", __func__, key->len);
- goto fail;
- }
-
-- out->len = (size_t)len;
-+ memcpy(out->ptr, in->ptr, in->len);
-+ br_aes_ct64_cbcdec_init(&ctx, key->ptr, key->len);
-+ br_aes_ct64_cbcdec_run(&ctx, iv, out->ptr, out->len);
-+ explicit_bzero(&ctx, sizeof(ctx));
-+
-+ out->len = in->len;
-
- ok = 0;
- fail:
-- if (ctx != NULL)
-- EVP_CIPHER_CTX_free(ctx);
--
- if (ok < 0) {
- free(out->ptr);
- out->ptr = NULL;
-diff --git a/src/assert.c b/src/assert.c
-index b71d00e..cccc3e1 100644
---- a/src/assert.c
-+++ b/src/assert.c
-@@ -4,10 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/ec.h>
--#include <openssl/ecdsa.h>
--#include <openssl/evp.h>
--#include <openssl/sha.h>
-+#include <bearssl.h>
-
- #include <string.h>
- #include "fido.h"
-@@ -370,7 +367,7 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, const fido_blob_t *clientd
- unsigned char *authdata_ptr = NULL;
- size_t authdata_len;
- struct cbor_load_result cbor;
-- SHA256_CTX ctx;
-+ br_sha256_context ctx;
- int ok = -1;
-
- if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len,
-@@ -384,14 +381,15 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, const fido_blob_t *clientd
- authdata_len = cbor_bytestring_length(item);
-
- if (cose_alg != COSE_EDDSA) {
-- if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 ||
-- SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 ||
-- SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 ||
-- SHA256_Final(dgst->ptr, &ctx) == 0) {
-+ if (dgst->len < br_sha256_SIZE) {
- fido_log_debug("%s: sha256", __func__);
- goto fail;
- }
-- dgst->len = SHA256_DIGEST_LENGTH;
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, authdata_ptr, authdata_len);
-+ br_sha256_update(&ctx, clientdata->ptr, clientdata->len);
-+ br_sha256_out(&ctx, dgst->ptr);
-+ dgst->len = br_sha256_SIZE;
- } else {
- if (SIZE_MAX - authdata_len < clientdata->len ||
- dgst->len < authdata_len + clientdata->len) {
-@@ -416,34 +414,25 @@ int
- fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
- const fido_blob_t *sig)
- {
-- EVP_PKEY *pkey = NULL;
-- EC_KEY *ec = NULL;
-- int ok = -1;
--
-- /* ECDSA_verify needs ints */
-- if (dgst->len > INT_MAX || sig->len > INT_MAX) {
-- fido_log_debug("%s: dgst->len=%zu, sig->len=%zu", __func__,
-- dgst->len, sig->len);
-- return (-1);
-- }
-+ unsigned char q[BR_EC_KBUF_PUB_MAX_SIZE];
-+ br_ec_public_key pkey;
-+ int ok = -1;
-
-- if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
-- (ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
-- fido_log_debug("%s: pk -> ec", __func__);
-- goto fail;
-- }
-+ /* BearSSL needs uncompressed format */
-+ q[0] = 4;
-+ memcpy(q + 1, pk->x, 32);
-+ memcpy(q + 1 + 32, pk->y, 32);
-+ pkey.q = q;
-+ pkey.qlen = 1 + 32 + 32;
-
-- if (ECDSA_verify(0, dgst->ptr, (int)dgst->len, sig->ptr,
-- (int)sig->len, ec) != 1) {
-- fido_log_debug("%s: ECDSA_verify", __func__);
-+ if (br_ecdsa_vrfy_asn1_get_default()(br_ec_get_default(), dgst->ptr,
-+ dgst->len, &pkey, sig->ptr, sig->len) == 0) {
-+ fido_log_debug("%s: ECDSA verify", __func__);
- goto fail;
- }
-
- ok = 0;
- fail:
-- if (pkey != NULL)
-- EVP_PKEY_free(pkey);
--
- return (ok);
- }
-
-@@ -451,34 +440,37 @@ int
- fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
- const fido_blob_t *sig)
- {
-- EVP_PKEY *pkey = NULL;
-- RSA *rsa = NULL;
-- int ok = -1;
--
-- /* RSA_verify needs unsigned ints */
-- if (dgst->len > UINT_MAX || sig->len > UINT_MAX) {
-- fido_log_debug("%s: dgst->len=%zu, sig->len=%zu", __func__,
-- dgst->len, sig->len);
-+ br_rsa_public_key pkey;
-+ unsigned char hash[br_sha256_SIZE];
-+ int ok = -1;
-+
-+ /* RSA verify needs SHA256-sized hash */
-+ if (dgst->len != br_sha256_SIZE) {
-+ fido_log_debug("%s: dgst->len=%zu", __func__, dgst->len);
- return (-1);
- }
-
-- if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
-- (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
-- fido_log_debug("%s: pk -> ec", __func__);
-- goto fail;
-- }
-+#ifdef __GNUC__
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wcast-qual"
-+#endif
-+ pkey.n = (unsigned char *)pk->n;
-+ pkey.nlen = sizeof(pk->n);
-+ pkey.e = (unsigned char *)pk->e;
-+ pkey.elen = sizeof(pk->e);
-+#ifdef __GNUC__
-+#pragma GCC diagnostic pop
-+#endif
-
-- if (RSA_verify(NID_sha256, dgst->ptr, (unsigned int)dgst->len, sig->ptr,
-- (unsigned int)sig->len, rsa) != 1) {
-+ if (br_rsa_pkcs1_vrfy_get_default()(sig->ptr, sig->len,
-+ BR_HASH_OID_SHA256, dgst->len, &pkey, hash) != 1 ||
-+ memcmp(dgst->ptr, hash, sizeof(hash)) != 0) {
- fido_log_debug("%s: RSA_verify", __func__);
- goto fail;
- }
-
- ok = 0;
- fail:
-- if (pkey != NULL)
-- EVP_PKEY_free(pkey);
--
- return (ok);
- }
-
-@@ -486,47 +478,12 @@ int
- fido_verify_sig_eddsa(const fido_blob_t *dgst, const eddsa_pk_t *pk,
- const fido_blob_t *sig)
- {
-- EVP_PKEY *pkey = NULL;
-- EVP_MD_CTX *mdctx = NULL;
-- int ok = -1;
--
-- /* EVP_DigestVerify needs ints */
-- if (dgst->len > INT_MAX || sig->len > INT_MAX) {
-- fido_log_debug("%s: dgst->len=%zu, sig->len=%zu", __func__,
-- dgst->len, sig->len);
-- return (-1);
-- }
-+ (void)dgst;
-+ (void)pk;
-+ (void)sig;
-
-- if ((pkey = eddsa_pk_to_EVP_PKEY(pk)) == NULL) {
-- fido_log_debug("%s: pk -> pkey", __func__);
-- goto fail;
-- }
--
-- if ((mdctx = EVP_MD_CTX_new()) == NULL) {
-- fido_log_debug("%s: EVP_MD_CTX_new", __func__);
-- goto fail;
-- }
--
-- if (EVP_DigestVerifyInit(mdctx, NULL, NULL, NULL, pkey) != 1) {
-- fido_log_debug("%s: EVP_DigestVerifyInit", __func__);
-- goto fail;
-- }
--
-- if (EVP_DigestVerify(mdctx, sig->ptr, sig->len, dgst->ptr,
-- dgst->len) != 1) {
-- fido_log_debug("%s: EVP_DigestVerify", __func__);
-- goto fail;
-- }
--
-- ok = 0;
--fail:
-- if (mdctx != NULL)
-- EVP_MD_CTX_free(mdctx);
--
-- if (pkey != NULL)
-- EVP_PKEY_free(pkey);
--
-- return (ok);
-+ fido_log_debug("%s: EdDSA not implemented", __func__);
-+ return (-1);
- }
-
- int
-diff --git a/src/cbor.c b/src/cbor.c
-index 2b3c150..dfe3ddf 100644
---- a/src/cbor.c
-+++ b/src/cbor.c
-@@ -4,9 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/evp.h>
--#include <openssl/hmac.h>
--#include <openssl/sha.h>
-+#include <bearssl.h>
-
- #include <string.h>
- #include "fido.h"
-@@ -629,14 +627,16 @@ cbor_encode_assert_options(fido_opt_t up, fido_opt_t uv)
- cbor_item_t *
- cbor_encode_pin_auth(const fido_blob_t *hmac_key, const fido_blob_t *data)
- {
-- const EVP_MD *md = NULL;
-- unsigned char dgst[SHA256_DIGEST_LENGTH];
-- unsigned int dgst_len;
-+ br_hmac_context ctx;
-+ br_hmac_key_context kc;
-+ unsigned char dgst[br_sha256_SIZE];
-
-- if ((md = EVP_sha256()) == NULL || HMAC(md, hmac_key->ptr,
-- (int)hmac_key->len, data->ptr, (int)data->len, dgst,
-- &dgst_len) == NULL || dgst_len != SHA256_DIGEST_LENGTH)
-- return (NULL);
-+ br_hmac_key_init(&kc, &br_sha256_vtable, hmac_key->ptr, hmac_key->len);
-+ br_hmac_init(&ctx, &kc, 0);
-+ br_hmac_update(&ctx, data->ptr, data->len);
-+ br_hmac_out(&ctx, dgst);
-+ explicit_bzero(&kc, sizeof(kc));
-+ explicit_bzero(&ctx, sizeof(ctx));
-
- return (cbor_build_bytestring(dgst, 16));
- }
-@@ -665,17 +665,16 @@ cbor_encode_pin_enc(const fido_blob_t *key, const fido_blob_t *pin)
- static int
- sha256(const unsigned char *data, size_t data_len, fido_blob_t *digest)
- {
-- if ((digest->ptr = calloc(1, SHA256_DIGEST_LENGTH)) == NULL)
-+ br_sha256_context ctx;
-+
-+ if ((digest->ptr = calloc(1, br_sha256_SIZE)) == NULL)
- return (-1);
-
-- digest->len = SHA256_DIGEST_LENGTH;
-+ digest->len = br_sha256_SIZE;
-
-- if (SHA256(data, data_len, digest->ptr) != digest->ptr) {
-- free(digest->ptr);
-- digest->ptr = NULL;
-- digest->len = 0;
-- return (-1);
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, data, data_len);
-+ br_sha256_out(&ctx, digest->ptr);
-
- return (0);
- }
-@@ -684,15 +683,10 @@ cbor_item_t *
- cbor_encode_change_pin_auth(const fido_blob_t *key, const fido_blob_t *new_pin,
- const fido_blob_t *pin)
- {
-- unsigned char dgst[SHA256_DIGEST_LENGTH];
-- unsigned int dgst_len;
-+ unsigned char dgst[br_sha256_SIZE];
- cbor_item_t *item = NULL;
-- const EVP_MD *md = NULL;
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-- HMAC_CTX ctx;
--#else
-- HMAC_CTX *ctx = NULL;
--#endif
-+ br_hmac_context ctx;
-+ br_hmac_key_context kc;
- fido_blob_t *npe = NULL; /* new pin, encrypted */
- fido_blob_t *ph = NULL; /* pin hash */
- fido_blob_t *phe = NULL; /* pin hash, encrypted */
-@@ -720,28 +714,13 @@ cbor_encode_change_pin_auth(const fido_blob_t *key, const fido_blob_t *new_pin,
- goto fail;
- }
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-- HMAC_CTX_init(&ctx);
--
-- if ((md = EVP_sha256()) == NULL ||
-- HMAC_Init_ex(&ctx, key->ptr, (int)key->len, md, NULL) == 0 ||
-- HMAC_Update(&ctx, npe->ptr, (int)npe->len) == 0 ||
-- HMAC_Update(&ctx, phe->ptr, (int)phe->len) == 0 ||
-- HMAC_Final(&ctx, dgst, &dgst_len) == 0 || dgst_len != 32) {
-- fido_log_debug("%s: HMAC", __func__);
-- goto fail;
-- }
--#else
-- if ((ctx = HMAC_CTX_new()) == NULL ||
-- (md = EVP_sha256()) == NULL ||
-- HMAC_Init_ex(ctx, key->ptr, (int)key->len, md, NULL) == 0 ||
-- HMAC_Update(ctx, npe->ptr, (int)npe->len) == 0 ||
-- HMAC_Update(ctx, phe->ptr, (int)phe->len) == 0 ||
-- HMAC_Final(ctx, dgst, &dgst_len) == 0 || dgst_len != 32) {
-- fido_log_debug("%s: HMAC", __func__);
-- goto fail;
-- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-+ br_hmac_key_init(&kc, &br_sha256_vtable, key->ptr, key->len);
-+ br_hmac_init(&ctx, &kc, 0);
-+ br_hmac_update(&ctx, npe->ptr, npe->len);
-+ br_hmac_update(&ctx, phe->ptr, phe->len);
-+ br_hmac_out(&ctx, dgst);
-+ explicit_bzero(&kc, sizeof(kc));
-+ explicit_bzero(&ctx, sizeof(ctx));
-
- if ((item = cbor_build_bytestring(dgst, 16)) == NULL) {
- fido_log_debug("%s: cbor_build_bytestring", __func__);
-@@ -754,11 +733,6 @@ fail:
- fido_blob_free(&ph);
- fido_blob_free(&phe);
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-- if (ctx != NULL)
-- HMAC_CTX_free(ctx);
--#endif
--
- if (ok < 0) {
- if (item != NULL) {
- cbor_decref(&item);
-@@ -772,9 +746,9 @@ fail:
- cbor_item_t *
- cbor_encode_set_pin_auth(const fido_blob_t *key, const fido_blob_t *pin)
- {
-- const EVP_MD *md = NULL;
-- unsigned char dgst[SHA256_DIGEST_LENGTH];
-- unsigned int dgst_len;
-+ br_hmac_context ctx;
-+ br_hmac_key_context kc;
-+ unsigned char dgst[br_sha256_SIZE];
- cbor_item_t *item = NULL;
- fido_blob_t *pe = NULL;
-
-@@ -786,12 +760,12 @@ cbor_encode_set_pin_auth(const fido_blob_t *key, const fido_blob_t *pin)
- goto fail;
- }
-
-- if ((md = EVP_sha256()) == NULL || key->len != 32 || HMAC(md, key->ptr,
-- (int)key->len, pe->ptr, (int)pe->len, dgst, &dgst_len) == NULL ||
-- dgst_len != SHA256_DIGEST_LENGTH) {
-- fido_log_debug("%s: HMAC", __func__);
-- goto fail;
-- }
-+ br_hmac_key_init(&kc, &br_sha256_vtable, key->ptr, key->len);
-+ br_hmac_init(&ctx, &kc, 0);
-+ br_hmac_update(&ctx, pe->ptr, pe->len);
-+ br_hmac_out(&ctx, dgst);
-+ explicit_bzero(&kc, sizeof(kc));
-+ explicit_bzero(&ctx, sizeof(ctx));
-
- item = cbor_build_bytestring(dgst, 16);
- fail:
-diff --git a/src/cred.c b/src/cred.c
-index 4ecbba8..a3d5898 100644
---- a/src/cred.c
-+++ b/src/cred.c
-@@ -4,10 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/ec.h>
--#include <openssl/evp.h>
--#include <openssl/sha.h>
--#include <openssl/x509.h>
-+#include <bearssl.h>
-
- #include <string.h>
- #include "fido.h"
-@@ -188,18 +185,17 @@ check_extensions(const fido_cred_ext_t *authdata_ext, const fido_cred_ext_t *ext
- int
- fido_check_rp_id(const char *id, const unsigned char *obtained_hash)
- {
-- unsigned char expected_hash[SHA256_DIGEST_LENGTH];
-+ br_sha256_context ctx;
-+ unsigned char expected_hash[br_sha256_SIZE];
-
- explicit_bzero(expected_hash, sizeof(expected_hash));
-
-- if (SHA256((const unsigned char *)id, strlen(id),
-- expected_hash) != expected_hash) {
-- fido_log_debug("%s: sha256", __func__);
-- return (-1);
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, id, strlen(id));
-+ br_sha256_out(&ctx, expected_hash);
-
- return (timingsafe_bcmp(expected_hash, obtained_hash,
-- SHA256_DIGEST_LENGTH));
-+ br_sha256_SIZE));
- }
-
- static int
-@@ -209,21 +205,23 @@ get_signed_hash_u2f(fido_blob_t *dgst, const unsigned char *rp_id,
- {
- const uint8_t zero = 0;
- const uint8_t four = 4; /* uncompressed point */
-- SHA256_CTX ctx;
--
-- if (dgst->len != SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 ||
-- SHA256_Update(&ctx, &zero, sizeof(zero)) == 0 ||
-- SHA256_Update(&ctx, rp_id, rp_id_len) == 0 ||
-- SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 ||
-- SHA256_Update(&ctx, id->ptr, id->len) == 0 ||
-- SHA256_Update(&ctx, &four, sizeof(four)) == 0 ||
-- SHA256_Update(&ctx, pk->x, sizeof(pk->x)) == 0 ||
-- SHA256_Update(&ctx, pk->y, sizeof(pk->y)) == 0 ||
-- SHA256_Final(dgst->ptr, &ctx) == 0) {
-+ br_sha256_context ctx;
-+
-+ if (dgst->len != br_sha256_SIZE) {
- fido_log_debug("%s: sha256", __func__);
- return (-1);
- }
-
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, &zero, sizeof(zero));
-+ br_sha256_update(&ctx, rp_id, rp_id_len);
-+ br_sha256_update(&ctx, clientdata->ptr, clientdata->len);
-+ br_sha256_update(&ctx, id->ptr, id->len);
-+ br_sha256_update(&ctx, &four, sizeof(four));
-+ br_sha256_update(&ctx, pk->x, sizeof(pk->x));
-+ br_sha256_update(&ctx, pk->y, sizeof(pk->y));
-+ br_sha256_out(&ctx, dgst->ptr);
-+
- return (0);
- }
-
-@@ -231,42 +229,29 @@ static int
- verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
- const fido_blob_t *sig)
- {
-- BIO *rawcert = NULL;
-- X509 *cert = NULL;
-- EVP_PKEY *pkey = NULL;
-- EC_KEY *ec;
-- int ok = -1;
--
-- /* openssl needs ints */
-- if (dgst->len > INT_MAX || x5c->len > INT_MAX || sig->len > INT_MAX) {
-- fido_log_debug("%s: dgst->len=%zu, x5c->len=%zu, sig->len=%zu",
-- __func__, dgst->len, x5c->len, sig->len);
-- return (-1);
-- }
-+ br_x509_decoder_context ctx;
-+ br_x509_pkey *pkey;
-+ int ok = -1;
-
- /* fetch key from x509 */
-- if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
-- (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
-- (pkey = X509_get_pubkey(cert)) == NULL ||
-- (ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
-+ br_x509_decoder_init(&ctx, NULL, NULL);
-+ br_x509_decoder_push(&ctx, x5c->ptr, x5c->len);
-+ if (br_x509_decoder_last_error(&ctx) != 0 ||
-+ (pkey = br_x509_decoder_get_pkey(&ctx)) == NULL ||
-+ pkey->key_type != BR_KEYTYPE_EC) {
- fido_log_debug("%s: x509 key", __func__);
- goto fail;
- }
-
-- if (ECDSA_verify(0, dgst->ptr, (int)dgst->len, sig->ptr,
-- (int)sig->len, ec) != 1) {
-- fido_log_debug("%s: ECDSA_verify", __func__);
-+ if (br_ecdsa_vrfy_asn1_get_default()(br_ec_get_default(), dgst->ptr,
-+ dgst->len, &pkey->key.ec, sig->ptr, sig->len) == 0) {
-+ fido_log_debug("%s: ECDSA verify", __func__);
- goto fail;
- }
-
- ok = 0;
- fail:
-- if (rawcert != NULL)
-- BIO_free(rawcert);
-- if (cert != NULL)
-- X509_free(cert);
-- if (pkey != NULL)
-- EVP_PKEY_free(pkey);
-+ explicit_bzero(&ctx, sizeof(ctx));
-
- return (ok);
- }
-@@ -274,7 +259,7 @@ fail:
- int
- fido_cred_verify(const fido_cred_t *cred)
- {
-- unsigned char buf[SHA256_DIGEST_LENGTH];
-+ unsigned char buf[br_sha256_SIZE];
- fido_blob_t dgst;
- int r;
-
-diff --git a/src/credman.c b/src/credman.c
-index a382185..a6557d3 100644
---- a/src/credman.c
-+++ b/src/credman.c
-@@ -4,7 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/sha.h>
-+#include <bearssl.h>
-
- #include <string.h>
-
-@@ -369,14 +369,14 @@ static int
- credman_get_rk_wait(fido_dev_t *dev, const char *rp_id, fido_credman_rk_t *rk,
- const char *pin, int ms)
- {
-- fido_blob_t rp_dgst;
-- uint8_t dgst[SHA256_DIGEST_LENGTH];
-- int r;
-+ fido_blob_t rp_dgst;
-+ br_sha256_context ctx;
-+ uint8_t dgst[br_sha256_SIZE];
-+ int r;
-
-- if (SHA256((const unsigned char *)rp_id, strlen(rp_id), dgst) != dgst) {
-- fido_log_debug("%s: sha256", __func__);
-- return (FIDO_ERR_INTERNAL);
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, rp_id, strlen(rp_id));
-+ br_sha256_out(&ctx, dgst);
-
- rp_dgst.ptr = dgst;
- rp_dgst.len = sizeof(dgst);
-diff --git a/src/ecdh.c b/src/ecdh.c
-index 7f25c7b..7576ae4 100644
---- a/src/ecdh.c
-+++ b/src/ecdh.c
-@@ -4,8 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/evp.h>
--#include <openssl/sha.h>
-+#include <bearssl.h>
-
- #include "fido.h"
- #include "fido/es256.h"
-@@ -13,63 +12,43 @@
- static int
- do_ecdh(const es256_sk_t *sk, const es256_pk_t *pk, fido_blob_t **ecdh)
- {
-- EVP_PKEY *pk_evp = NULL;
-- EVP_PKEY *sk_evp = NULL;
-- EVP_PKEY_CTX *ctx = NULL;
-- fido_blob_t *secret = NULL;
-- int ok = -1;
-+ unsigned char q[65];
-+ br_sha256_context ctx;
-+ int ok = -1;
-
- *ecdh = NULL;
-
- /* allocate blobs for secret & ecdh */
-- if ((secret = fido_blob_new()) == NULL ||
-- (*ecdh = fido_blob_new()) == NULL)
-+ if ((*ecdh = fido_blob_new()) == NULL)
- goto fail;
-
-- /* wrap the keys as openssl objects */
-- if ((pk_evp = es256_pk_to_EVP_PKEY(pk)) == NULL ||
-- (sk_evp = es256_sk_to_EVP_PKEY(sk)) == NULL) {
-- fido_log_debug("%s: es256_to_EVP_PKEY", __func__);
-- goto fail;
-- }
--
-- /* set ecdh parameters */
-- if ((ctx = EVP_PKEY_CTX_new(sk_evp, NULL)) == NULL ||
-- EVP_PKEY_derive_init(ctx) <= 0 ||
-- EVP_PKEY_derive_set_peer(ctx, pk_evp) <= 0) {
-- fido_log_debug("%s: EVP_PKEY_derive_init", __func__);
-- goto fail;
-- }
-+ q[0] = 4;
-+ memcpy(q + 1, pk->x, 32);
-+ memcpy(q + 1 + 32, pk->y, 32);
-
- /* perform ecdh */
-- if (EVP_PKEY_derive(ctx, NULL, &secret->len) <= 0 ||
-- (secret->ptr = calloc(1, secret->len)) == NULL ||
-- EVP_PKEY_derive(ctx, secret->ptr, &secret->len) <= 0) {
-- fido_log_debug("%s: EVP_PKEY_derive", __func__);
-+ if (br_ec_get_default()->mul(q, sizeof(q), sk->d, sizeof(sk->d),
-+ BR_EC_secp256r1) != 1) {
-+ fido_log_debug("%s: ECDH", __func__);
- goto fail;
- }
-
- /* use sha256 as a kdf on the resulting secret */
-- (*ecdh)->len = SHA256_DIGEST_LENGTH;
-- if (((*ecdh)->ptr = calloc(1, (*ecdh)->len)) == NULL ||
-- SHA256(secret->ptr, secret->len, (*ecdh)->ptr) != (*ecdh)->ptr) {
-+ (*ecdh)->len = br_sha256_SIZE;
-+ if (((*ecdh)->ptr = calloc(1, (*ecdh)->len)) == NULL) {
- fido_log_debug("%s: sha256", __func__);
- goto fail;
- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, q + 1, 32);
-+ br_sha256_out(&ctx, (*ecdh)->ptr);
-
- ok = 0;
- fail:
-- if (pk_evp != NULL)
-- EVP_PKEY_free(pk_evp);
-- if (sk_evp != NULL)
-- EVP_PKEY_free(sk_evp);
-- if (ctx != NULL)
-- EVP_PKEY_CTX_free(ctx);
-+ explicit_bzero(q, sizeof(q));
- if (ok < 0)
- fido_blob_free(ecdh);
-
-- fido_blob_free(&secret);
--
- return (ok);
- }
-
-diff --git a/src/eddsa.c b/src/eddsa.c
-index 44a5563..252e7ec 100644
---- a/src/eddsa.c
-+++ b/src/eddsa.c
-@@ -4,75 +4,10 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/bn.h>
--#include <openssl/ec.h>
--#include <openssl/evp.h>
--#include <openssl/obj_mac.h>
--
- #include <string.h>
- #include "fido.h"
- #include "fido/eddsa.h"
-
--#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10101000L
--EVP_PKEY *
--EVP_PKEY_new_raw_public_key(int type, ENGINE *e, const unsigned char *key,
-- size_t keylen)
--{
-- (void)type;
-- (void)e;
-- (void)key;
-- (void)keylen;
--
-- fido_log_debug("%s: unimplemented", __func__);
--
-- return (NULL);
--}
--
--int
--EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub,
-- size_t *len)
--{
-- (void)pkey;
-- (void)pub;
-- (void)len;
--
-- fido_log_debug("%s: unimplemented", __func__);
--
-- return (0);
--}
--
--int
--EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, size_t siglen,
-- const unsigned char *tbs, size_t tbslen)
--{
-- (void)ctx;
-- (void)sigret;
-- (void)siglen;
-- (void)tbs;
-- (void)tbslen;
--
-- fido_log_debug("%s: unimplemented", __func__);
--
-- return (0);
--}
--#endif /* LIBRESSL_VERSION_NUMBER || OPENSSL_VERSION_NUMBER < 0x10101000L */
--
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
--EVP_MD_CTX *
--EVP_MD_CTX_new(void)
--{
-- fido_log_debug("%s: unimplemented", __func__);
--
-- return (NULL);
--}
--
--void
--EVP_MD_CTX_free(EVP_MD_CTX *ctx)
--{
-- (void)ctx;
--}
--#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
--
- static int
- decode_coord(const cbor_item_t *item, void *xy, size_t xy_len)
- {
-@@ -148,30 +83,3 @@ eddsa_pk_from_ptr(eddsa_pk_t *pk, const void *ptr, size_t len)
-
- return (FIDO_OK);
- }
--
--EVP_PKEY *
--eddsa_pk_to_EVP_PKEY(const eddsa_pk_t *k)
--{
-- EVP_PKEY *pkey = NULL;
--
-- if ((pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, k->x,
-- sizeof(k->x))) == NULL)
-- fido_log_debug("%s: EVP_PKEY_new_raw_public_key", __func__);
--
-- return (pkey);
--}
--
--int
--eddsa_pk_from_EVP_PKEY(eddsa_pk_t *pk, const EVP_PKEY *pkey)
--{
-- size_t len = 0;
--
-- if (EVP_PKEY_get_raw_public_key(pkey, NULL, &len) != 1 ||
-- len != sizeof(pk->x))
-- return (FIDO_ERR_INTERNAL);
-- if (EVP_PKEY_get_raw_public_key(pkey, pk->x, &len) != 1 ||
-- len != sizeof(pk->x))
-- return (FIDO_ERR_INTERNAL);
--
-- return (FIDO_OK);
--}
-diff --git a/src/es256.c b/src/es256.c
-index 020ecaa..49ffd82 100644
---- a/src/es256.c
-+++ b/src/es256.c
-@@ -4,10 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/bn.h>
--#include <openssl/ec.h>
--#include <openssl/evp.h>
--#include <openssl/obj_mac.h>
-+#include <bearssl.h>
-
- #include <string.h>
- #include "fido.h"
-@@ -208,253 +205,64 @@ es256_pk_set_y(es256_pk_t *pk, const unsigned char *y)
- int
- es256_sk_create(es256_sk_t *key)
- {
-- EVP_PKEY_CTX *pctx = NULL;
-- EVP_PKEY_CTX *kctx = NULL;
-- EVP_PKEY *p = NULL;
-- EVP_PKEY *k = NULL;
-- const EC_KEY *ec;
-- const BIGNUM *d;
-- const int nid = NID_X9_62_prime256v1;
-- int n;
-- int ok = -1;
--
-- if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL ||
-- EVP_PKEY_paramgen_init(pctx) <= 0 ||
-- EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 ||
-- EVP_PKEY_paramgen(pctx, &p) <= 0) {
-- fido_log_debug("%s: EVP_PKEY_paramgen", __func__);
-- goto fail;
-- }
--
-- if ((kctx = EVP_PKEY_CTX_new(p, NULL)) == NULL ||
-- EVP_PKEY_keygen_init(kctx) <= 0 || EVP_PKEY_keygen(kctx, &k) <= 0) {
-- fido_log_debug("%s: EVP_PKEY_keygen", __func__);
-- goto fail;
-- }
--
-- if ((ec = EVP_PKEY_get0_EC_KEY(k)) == NULL ||
-- (d = EC_KEY_get0_private_key(ec)) == NULL ||
-- (n = BN_num_bytes(d)) < 0 || (size_t)n > sizeof(key->d) ||
-- (n = BN_bn2bin(d, key->d)) < 0 || (size_t)n > sizeof(key->d)) {
-- fido_log_debug("%s: EC_KEY_get0_private_key", __func__);
-- goto fail;
-- }
--
-- ok = 0;
--fail:
-- if (p != NULL)
-- EVP_PKEY_free(p);
-- if (k != NULL)
-- EVP_PKEY_free(k);
-- if (pctx != NULL)
-- EVP_PKEY_CTX_free(pctx);
-- if (kctx != NULL)
-- EVP_PKEY_CTX_free(kctx);
--
-- return (ok);
--}
--
--EVP_PKEY *
--es256_pk_to_EVP_PKEY(const es256_pk_t *k)
--{
-- BN_CTX *bnctx = NULL;
-- EC_KEY *ec = NULL;
-- EC_POINT *q = NULL;
-- EVP_PKEY *pkey = NULL;
-- BIGNUM *x = NULL;
-- BIGNUM *y = NULL;
-- const EC_GROUP *g = NULL;
-- const int nid = NID_X9_62_prime256v1;
-- int ok = -1;
--
-- if ((bnctx = BN_CTX_new()) == NULL)
-- goto fail;
--
-- BN_CTX_start(bnctx);
--
-- if ((x = BN_CTX_get(bnctx)) == NULL ||
-- (y = BN_CTX_get(bnctx)) == NULL)
-- goto fail;
--
-- if (BN_bin2bn(k->x, sizeof(k->x), x) == NULL ||
-- BN_bin2bn(k->y, sizeof(k->y), y) == NULL) {
-- fido_log_debug("%s: BN_bin2bn", __func__);
-- goto fail;
-- }
-+ br_prng_seeder seeder;
-+ br_hmac_drbg_context rng;
-+ br_ec_private_key skey;
-+ unsigned char kbuf[BR_EC_KBUF_PRIV_MAX_SIZE];
-+ int ok = -1;
-
-- if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
-- (g = EC_KEY_get0_group(ec)) == NULL) {
-- fido_log_debug("%s: EC_KEY init", __func__);
-+ if ((seeder = br_prng_seeder_system(NULL)) == NULL) {
-+ fido_log_debug("%s: no PRNG seeder", __func__);
- goto fail;
- }
--
-- if ((q = EC_POINT_new(g)) == NULL ||
-- EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
-- EC_KEY_set_public_key(ec, q) == 0) {
-- fido_log_debug("%s: EC_KEY_set_public_key", __func__);
-+ br_hmac_drbg_init(&rng, &br_sha256_vtable, NULL, 0);
-+ if (seeder(&rng.vtable) == 0) {
-+ fido_log_debug("%s: seed PRNG", __func__);
- goto fail;
- }
--
-- if ((pkey = EVP_PKEY_new()) == NULL ||
-- EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
-- fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
-+ if (br_ec_keygen(&rng.vtable, br_ec_get_default(), &skey, kbuf,
-+ BR_EC_secp256r1) != sizeof(key->d)) {
-+ fido_log_debug("%s: EC keygen", __func__);
- goto fail;
- }
--
-- ec = NULL; /* at this point, ec belongs to evp */
-+ memcpy(key->d, skey.x, sizeof(key->d));
-+ explicit_bzero(&skey, sizeof(skey));
-+ explicit_bzero(kbuf, sizeof(kbuf));
-
- ok = 0;
- fail:
-- if (bnctx != NULL) {
-- BN_CTX_end(bnctx);
-- BN_CTX_free(bnctx);
-- }
--
-- if (ec != NULL)
-- EC_KEY_free(ec);
-- if (q != NULL)
-- EC_POINT_free(q);
--
-- if (ok < 0 && pkey != NULL) {
-- EVP_PKEY_free(pkey);
-- pkey = NULL;
-- }
--
-- return (pkey);
--}
--
--int
--es256_pk_from_EC_KEY(es256_pk_t *pk, const EC_KEY *ec)
--{
-- BN_CTX *bnctx = NULL;
-- BIGNUM *x = NULL;
-- BIGNUM *y = NULL;
-- const EC_POINT *q = NULL;
-- const EC_GROUP *g = NULL;
-- int ok = FIDO_ERR_INTERNAL;
-- int n;
--
-- if ((q = EC_KEY_get0_public_key(ec)) == NULL ||
-- (g = EC_KEY_get0_group(ec)) == NULL ||
-- (bnctx = BN_CTX_new()) == NULL)
-- goto fail;
--
-- BN_CTX_start(bnctx);
--
-- if ((x = BN_CTX_get(bnctx)) == NULL ||
-- (y = BN_CTX_get(bnctx)) == NULL)
-- goto fail;
--
-- if (EC_POINT_get_affine_coordinates_GFp(g, q, x, y, bnctx) == 0 ||
-- (n = BN_num_bytes(x)) < 0 || (size_t)n > sizeof(pk->x) ||
-- (n = BN_num_bytes(y)) < 0 || (size_t)n > sizeof(pk->y)) {
-- fido_log_debug("%s: EC_POINT_get_affine_coordinates_GFp",
-- __func__);
-- goto fail;
-- }
--
-- if ((n = BN_bn2bin(x, pk->x)) < 0 || (size_t)n > sizeof(pk->x) ||
-- (n = BN_bn2bin(y, pk->y)) < 0 || (size_t)n > sizeof(pk->y)) {
-- fido_log_debug("%s: BN_bn2bin", __func__);
-- goto fail;
-- }
--
-- ok = FIDO_OK;
--fail:
-- if (bnctx != NULL) {
-- BN_CTX_end(bnctx);
-- BN_CTX_free(bnctx);
-- }
--
- return (ok);
- }
-
--EVP_PKEY *
--es256_sk_to_EVP_PKEY(const es256_sk_t *k)
--{
-- BN_CTX *bnctx = NULL;
-- EC_KEY *ec = NULL;
-- EVP_PKEY *pkey = NULL;
-- BIGNUM *d = NULL;
-- const int nid = NID_X9_62_prime256v1;
-- int ok = -1;
--
-- if ((bnctx = BN_CTX_new()) == NULL)
-- goto fail;
--
-- BN_CTX_start(bnctx);
--
-- if ((d = BN_CTX_get(bnctx)) == NULL ||
-- BN_bin2bn(k->d, sizeof(k->d), d) == NULL) {
-- fido_log_debug("%s: BN_bin2bn", __func__);
-- goto fail;
-- }
--
-- if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
-- EC_KEY_set_private_key(ec, d) == 0) {
-- fido_log_debug("%s: EC_KEY_set_private_key", __func__);
-- goto fail;
-- }
--
-- if ((pkey = EVP_PKEY_new()) == NULL ||
-- EVP_PKEY_assign_EC_KEY(pkey, ec) == 0) {
-- fido_log_debug("%s: EVP_PKEY_assign_EC_KEY", __func__);
-- goto fail;
-- }
--
-- ec = NULL; /* at this point, ec belongs to evp */
--
-- ok = 0;
--fail:
-- if (bnctx != NULL) {
-- BN_CTX_end(bnctx);
-- BN_CTX_free(bnctx);
-- }
--
-- if (ec != NULL)
-- EC_KEY_free(ec);
--
-- if (ok < 0 && pkey != NULL) {
-- EVP_PKEY_free(pkey);
-- pkey = NULL;
-- }
--
-- return (pkey);
--}
--
- int
- es256_derive_pk(const es256_sk_t *sk, es256_pk_t *pk)
- {
-- BIGNUM *d = NULL;
-- EC_KEY *ec = NULL;
-- EC_POINT *q = NULL;
-- const EC_GROUP *g = NULL;
-- const int nid = NID_X9_62_prime256v1;
-- int ok = -1;
--
-- if ((d = BN_bin2bn(sk->d, (int)sizeof(sk->d), NULL)) == NULL ||
-- (ec = EC_KEY_new_by_curve_name(nid)) == NULL ||
-- (g = EC_KEY_get0_group(ec)) == NULL ||
-- (q = EC_POINT_new(g)) == NULL) {
-- fido_log_debug("%s: get", __func__);
-- goto fail;
-- }
--
-- if (EC_POINT_mul(g, q, d, NULL, NULL, NULL) == 0 ||
-- EC_KEY_set_public_key(ec, q) == 0 ||
-- es256_pk_from_EC_KEY(pk, ec) != FIDO_OK) {
-- fido_log_debug("%s: set", __func__);
-+ br_ec_private_key skey;
-+ br_ec_public_key pkey;
-+ unsigned char kbuf[BR_EC_KBUF_PUB_MAX_SIZE];
-+ int ok = -1;
-+
-+ skey.curve = BR_EC_secp256r1;
-+#ifdef __GNUC__
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wcast-qual"
-+#endif
-+ skey.x = (unsigned char *)sk->d;
-+ skey.xlen = sizeof(sk->d);
-+#ifdef __GNUC__
-+#pragma GCC diagnostic pop
-+#endif
-+ if (br_ec_compute_pub(br_ec_get_default(), &pkey, kbuf, &skey) != 65 ||
-+ pkey.q[0] != 4 ||
-+ es256_pk_set_x(pk, pkey.q + 1) != 0 ||
-+ es256_pk_set_y(pk, pkey.q + 1 + 32) != 0) {
-+ fido_log_debug("%s: EC compute pub", __func__);
- goto fail;
- }
-
- ok = 0;
- fail:
-- if (d != NULL)
-- BN_clear_free(d);
-- if (q != NULL)
-- EC_POINT_free(q);
-- if (ec != NULL)
-- EC_KEY_free(ec);
-+ explicit_bzero(kbuf, sizeof(kbuf));
-
- return (ok);
- }
-diff --git a/src/fido.h b/src/fido.h
-index e41de89..cd613e4 100644
---- a/src/fido.h
-+++ b/src/fido.h
-@@ -7,9 +7,6 @@
- #ifndef _FIDO_H
- #define _FIDO_H
-
--#include <openssl/ec.h>
--#include <openssl/evp.h>
--
- #include <stdbool.h>
- #include <stdint.h>
- #include <stdlib.h>
-diff --git a/src/fido/eddsa.h b/src/fido/eddsa.h
-index 4a81017..15e24a6 100644
---- a/src/fido/eddsa.h
-+++ b/src/fido/eddsa.h
-@@ -7,8 +7,6 @@
- #ifndef _FIDO_EDDSA_H
- #define _FIDO_EDDSA_H
-
--#include <openssl/ec.h>
--
- #include <stdint.h>
- #include <stdlib.h>
-
-@@ -24,29 +22,9 @@ extern "C" {
-
- eddsa_pk_t *eddsa_pk_new(void);
- void eddsa_pk_free(eddsa_pk_t **);
--EVP_PKEY *eddsa_pk_to_EVP_PKEY(const eddsa_pk_t *);
-
--int eddsa_pk_from_EVP_PKEY(eddsa_pk_t *, const EVP_PKEY *);
- int eddsa_pk_from_ptr(eddsa_pk_t *, const void *, size_t);
-
--#ifdef _FIDO_INTERNAL
--
--#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10101000L
--#define EVP_PKEY_ED25519 EVP_PKEY_NONE
--int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *);
--EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *,
-- size_t);
--int EVP_DigestVerify(EVP_MD_CTX *, const unsigned char *, size_t,
-- const unsigned char *, size_t);
--#endif /* LIBRESSL_VERSION_NUMBER || OPENSSL_VERSION_NUMBER < 0x10101000L */
--
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
--EVP_MD_CTX *EVP_MD_CTX_new(void);
--void EVP_MD_CTX_free(EVP_MD_CTX *);
--#endif
--
--#endif /* _FIDO_INTERNAL */
--
- #ifdef __cplusplus
- } /* extern "C" */
- #endif /* __cplusplus */
-diff --git a/src/fido/es256.h b/src/fido/es256.h
-index 80f4db3..d0c5b24 100644
---- a/src/fido/es256.h
-+++ b/src/fido/es256.h
-@@ -7,8 +7,6 @@
- #ifndef _FIDO_ES256_H
- #define _FIDO_ES256_H
-
--#include <openssl/ec.h>
--
- #include <stdint.h>
- #include <stdlib.h>
-
-@@ -24,15 +22,12 @@ extern "C" {
-
- es256_pk_t *es256_pk_new(void);
- void es256_pk_free(es256_pk_t **);
--EVP_PKEY *es256_pk_to_EVP_PKEY(const es256_pk_t *);
-
--int es256_pk_from_EC_KEY(es256_pk_t *, const EC_KEY *);
- int es256_pk_from_ptr(es256_pk_t *, const void *, size_t);
-
- #ifdef _FIDO_INTERNAL
- es256_sk_t *es256_sk_new(void);
- void es256_sk_free(es256_sk_t **);
--EVP_PKEY *es256_sk_to_EVP_PKEY(const es256_sk_t *);
-
- int es256_derive_pk(const es256_sk_t *, es256_pk_t *);
- int es256_sk_create(es256_sk_t *);
-diff --git a/src/fido/rs256.h b/src/fido/rs256.h
-index 2b08d59..15c456e 100644
---- a/src/fido/rs256.h
-+++ b/src/fido/rs256.h
-@@ -7,8 +7,6 @@
- #ifndef _FIDO_RS256_H
- #define _FIDO_RS256_H
-
--#include <openssl/rsa.h>
--
- #include <stdint.h>
- #include <stdlib.h>
-
-@@ -24,9 +22,7 @@ extern "C" {
-
- rs256_pk_t *rs256_pk_new(void);
- void rs256_pk_free(rs256_pk_t **);
--EVP_PKEY *rs256_pk_to_EVP_PKEY(const rs256_pk_t *);
-
--int rs256_pk_from_RSA(rs256_pk_t *, const RSA *);
- int rs256_pk_from_ptr(rs256_pk_t *, const void *, size_t);
-
- #ifdef __cplusplus
-diff --git a/src/rs256.c b/src/rs256.c
-index 9f30163..c9da648 100644
---- a/src/rs256.c
-+++ b/src/rs256.c
-@@ -4,41 +4,12 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/bn.h>
--#include <openssl/rsa.h>
--#include <openssl/evp.h>
--#include <openssl/obj_mac.h>
-+#include <bearssl.h>
-
- #include <string.h>
- #include "fido.h"
- #include "fido/rs256.h"
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
--static int
--RSA_bits(const RSA *r)
--{
-- return (BN_num_bits(r->n));
--}
--
--static int
--RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
--{
-- r->n = n;
-- r->e = e;
-- r->d = d;
--
-- return (1);
--}
--
--static void
--RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
--{
-- *n = r->n;
-- *e = r->e;
-- *d = r->d;
--}
--#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
--
- static int
- decode_bignum(const cbor_item_t *item, void *ptr, size_t len)
- {
-@@ -116,89 +87,3 @@ rs256_pk_from_ptr(rs256_pk_t *pk, const void *ptr, size_t len)
-
- return (FIDO_OK);
- }
--
--EVP_PKEY *
--rs256_pk_to_EVP_PKEY(const rs256_pk_t *k)
--{
-- RSA *rsa = NULL;
-- EVP_PKEY *pkey = NULL;
-- BIGNUM *n = NULL;
-- BIGNUM *e = NULL;
-- int ok = -1;
--
-- if ((n = BN_new()) == NULL || (e = BN_new()) == NULL)
-- goto fail;
--
-- if (BN_bin2bn(k->n, sizeof(k->n), n) == NULL ||
-- BN_bin2bn(k->e, sizeof(k->e), e) == NULL) {
-- fido_log_debug("%s: BN_bin2bn", __func__);
-- goto fail;
-- }
--
-- if ((rsa = RSA_new()) == NULL || RSA_set0_key(rsa, n, e, NULL) == 0) {
-- fido_log_debug("%s: RSA_set0_key", __func__);
-- goto fail;
-- }
--
-- /* at this point, n and e belong to rsa */
-- n = NULL;
-- e = NULL;
--
-- if ((pkey = EVP_PKEY_new()) == NULL ||
-- EVP_PKEY_assign_RSA(pkey, rsa) == 0) {
-- fido_log_debug("%s: EVP_PKEY_assign_RSA", __func__);
-- goto fail;
-- }
--
-- rsa = NULL; /* at this point, rsa belongs to evp */
--
-- ok = 0;
--fail:
-- if (n != NULL)
-- BN_free(n);
-- if (e != NULL)
-- BN_free(e);
-- if (rsa != NULL)
-- RSA_free(rsa);
-- if (ok < 0 && pkey != NULL) {
-- EVP_PKEY_free(pkey);
-- pkey = NULL;
-- }
--
-- return (pkey);
--}
--
--int
--rs256_pk_from_RSA(rs256_pk_t *pk, const RSA *rsa)
--{
-- const BIGNUM *n = NULL;
-- const BIGNUM *e = NULL;
-- const BIGNUM *d = NULL;
-- int k;
--
-- if (RSA_bits(rsa) != 2048) {
-- fido_log_debug("%s: invalid key length", __func__);
-- return (FIDO_ERR_INVALID_ARGUMENT);
-- }
--
-- RSA_get0_key(rsa, &n, &e, &d);
--
-- if (n == NULL || e == NULL) {
-- fido_log_debug("%s: RSA_get0_key", __func__);
-- return (FIDO_ERR_INTERNAL);
-- }
--
-- if ((k = BN_num_bytes(n)) < 0 || (size_t)k > sizeof(pk->n) ||
-- (k = BN_num_bytes(e)) < 0 || (size_t)k > sizeof(pk->e)) {
-- fido_log_debug("%s: invalid key", __func__);
-- return (FIDO_ERR_INTERNAL);
-- }
--
-- if ((k = BN_bn2bin(n, pk->n)) < 0 || (size_t)k > sizeof(pk->n) ||
-- (k = BN_bn2bin(e, pk->e)) < 0 || (size_t)k > sizeof(pk->e)) {
-- fido_log_debug("%s: BN_bn2bin", __func__);
-- return (FIDO_ERR_INTERNAL);
-- }
--
-- return (FIDO_OK);
--}
-diff --git a/src/u2f.c b/src/u2f.c
-index 848d2fb..aa73881 100644
---- a/src/u2f.c
-+++ b/src/u2f.c
-@@ -4,8 +4,7 @@
- * license that can be found in the LICENSE file.
- */
-
--#include <openssl/sha.h>
--#include <openssl/x509.h>
-+#include <bearssl.h>
-
- #include <string.h>
- #ifdef HAVE_UNISTD_H
-@@ -78,21 +77,31 @@ sig_get(fido_blob_t *sig, const unsigned char **buf, size_t *len)
- static int
- x5c_get(fido_blob_t *x5c, const unsigned char **buf, size_t *len)
- {
-- X509 *cert = NULL;
-- int ok = -1;
--
-- if (*len > LONG_MAX) {
-- fido_log_debug("%s: invalid len %zu", __func__, *len);
-- goto fail;
-- }
-+ br_x509_decoder_context ctx;
-+ const unsigned char *seq;
-+ size_t len_len;
-+ int ok = -1;
-
- /* find out the certificate's length */
-- const unsigned char *end = *buf;
-- if ((cert = d2i_X509(NULL, &end, (long)*len)) == NULL || end <= *buf ||
-- (x5c->len = (size_t)(end - *buf)) >= *len) {
-- fido_log_debug("%s: d2i_X509", __func__);
-+ seq = *buf;
-+ if (*len < 2 || seq[0] != 0x30 || seq[1] == 0x80) {
-+ fido_log_debug("%s: X.509 decode", __func__);
- goto fail;
- }
-+ if ((seq[1] & 0x80) != 0) {
-+ len_len = seq[1] & 0x7f;
-+ if (len_len > sizeof(size_t) || len_len > *len - 2) {
-+ fido_log_debug("%s: X.509 decode", __func__);
-+ goto fail;
-+ }
-+ seq += 2;
-+ x5c->len = 0;
-+ while (len_len--)
-+ x5c->len = x5c->len << 8 | *seq++;
-+ x5c->len += seq - *buf;
-+ } else {
-+ x5c->len = 2 + seq[1];
-+ }
-
- /* read accordingly */
- if ((x5c->ptr = calloc(1, x5c->len)) == NULL ||
-@@ -103,8 +112,7 @@ x5c_get(fido_blob_t *x5c, const unsigned char **buf, size_t *len)
-
- ok = 0;
- fail:
-- if (cert != NULL)
-- X509_free(cert);
-+ explicit_bzero(&ctx, sizeof(ctx));
-
- if (ok < 0) {
- free(x5c->ptr);
-@@ -119,6 +127,7 @@ static int
- authdata_fake(const char *rp_id, uint8_t flags, uint32_t sigcount,
- fido_blob_t *fake_cbor_ad)
- {
-+ br_sha256_context ctx;
- uint8_t authdata[AUTHDATA_BASE_SIZE] = {0};
- unsigned char *rp_id_hash;
- cbor_item_t *item = NULL;
-@@ -126,11 +135,9 @@ authdata_fake(const char *rp_id, uint8_t flags, uint32_t sigcount,
-
- rp_id_hash = (unsigned char *)&authdata[AUTHDATA_RP_ID_HASH];
-
-- if (SHA256((const void *)rp_id, strlen(rp_id),
-- rp_id_hash) != rp_id_hash) {
-- fido_log_debug("%s: sha256", __func__);
-- return (-1);
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, rp_id, strlen(rp_id));
-+ br_sha256_out(&ctx, rp_id_hash);
-
- authdata[AUTHDATA_FLAGS] = flags; /* XXX translate? */
- memcpy(&authdata[AUTHDATA_SIGN_COUNT], &sigcount, 4);
-@@ -158,8 +165,8 @@ static int
- send_dummy_register(fido_dev_t *dev, int ms)
- {
- iso7816_apdu_t *apdu = NULL;
-- unsigned char challenge[SHA256_DIGEST_LENGTH];
-- unsigned char application[SHA256_DIGEST_LENGTH];
-+ unsigned char challenge[br_sha256_SIZE];
-+ unsigned char application[br_sha256_SIZE];
- unsigned char reply[FIDO_MAXMSG];
- int r;
-
-@@ -172,7 +179,7 @@ send_dummy_register(fido_dev_t *dev, int ms)
- memset(&application, 0xff, sizeof(application));
-
- if ((apdu = iso7816_new(U2F_CMD_REGISTER, 0, 2 *
-- SHA256_DIGEST_LENGTH)) == NULL ||
-+ br_sha256_SIZE)) == NULL ||
- iso7816_add(apdu, &challenge, sizeof(challenge)) < 0 ||
- iso7816_add(apdu, &application, sizeof(application)) < 0) {
- fido_log_debug("%s: iso7816", __func__);
-@@ -210,9 +217,10 @@ static int
- key_lookup(fido_dev_t *dev, const char *rp_id, const fido_blob_t *key_id,
- int *found, int ms)
- {
-+ br_sha256_context ctx;
- iso7816_apdu_t *apdu = NULL;
-- unsigned char challenge[SHA256_DIGEST_LENGTH];
-- unsigned char rp_id_hash[SHA256_DIGEST_LENGTH];
-+ unsigned char challenge[br_sha256_SIZE];
-+ unsigned char rp_id_hash[br_sha256_SIZE];
- unsigned char reply[FIDO_MAXMSG];
- uint8_t key_id_len;
- int r;
-@@ -227,17 +235,14 @@ key_lookup(fido_dev_t *dev, const char *rp_id, const fido_blob_t *key_id,
- memset(&challenge, 0xff, sizeof(challenge));
- memset(&rp_id_hash, 0, sizeof(rp_id_hash));
-
-- if (SHA256((const void *)rp_id, strlen(rp_id),
-- rp_id_hash) != rp_id_hash) {
-- fido_log_debug("%s: sha256", __func__);
-- r = FIDO_ERR_INTERNAL;
-- goto fail;
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, rp_id, strlen(rp_id));
-+ br_sha256_out(&ctx, rp_id_hash);
-
- key_id_len = (uint8_t)key_id->len;
-
- if ((apdu = iso7816_new(U2F_CMD_AUTH, U2F_AUTH_CHECK, 2 *
-- SHA256_DIGEST_LENGTH + sizeof(key_id_len) + key_id_len)) == NULL ||
-+ br_sha256_SIZE + sizeof(key_id_len) + key_id_len)) == NULL ||
- iso7816_add(apdu, &challenge, sizeof(challenge)) < 0 ||
- iso7816_add(apdu, &rp_id_hash, sizeof(rp_id_hash)) < 0 ||
- iso7816_add(apdu, &key_id_len, sizeof(key_id_len)) < 0 ||
-@@ -316,8 +321,9 @@ static int
- do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id,
- const fido_blob_t *key_id, fido_blob_t *sig, fido_blob_t *ad, int ms)
- {
-+ br_sha256_context ctx;
- iso7816_apdu_t *apdu = NULL;
-- unsigned char rp_id_hash[SHA256_DIGEST_LENGTH];
-+ unsigned char rp_id_hash[br_sha256_SIZE];
- unsigned char reply[FIDO_MAXMSG];
- int reply_len;
- uint8_t key_id_len;
-@@ -327,7 +333,7 @@ do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id,
- ms = 0; /* XXX */
- #endif
-
-- if (cdh->len != SHA256_DIGEST_LENGTH || key_id->len > UINT8_MAX ||
-+ if (cdh->len != br_sha256_SIZE || key_id->len > UINT8_MAX ||
- rp_id == NULL) {
- r = FIDO_ERR_INVALID_ARGUMENT;
- goto fail;
-@@ -335,17 +341,14 @@ do_auth(fido_dev_t *dev, const fido_blob_t *cdh, const char *rp_id,
-
- memset(&rp_id_hash, 0, sizeof(rp_id_hash));
-
-- if (SHA256((const void *)rp_id, strlen(rp_id),
-- rp_id_hash) != rp_id_hash) {
-- fido_log_debug("%s: sha256", __func__);
-- r = FIDO_ERR_INTERNAL;
-- goto fail;
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, rp_id, strlen(rp_id));
-+ br_sha256_out(&ctx, rp_id_hash);
-
- key_id_len = (uint8_t)key_id->len;
-
- if ((apdu = iso7816_new(U2F_CMD_AUTH, U2F_AUTH_SIGN, 2 *
-- SHA256_DIGEST_LENGTH + sizeof(key_id_len) + key_id_len)) == NULL ||
-+ br_sha256_SIZE + sizeof(key_id_len) + key_id_len)) == NULL ||
- iso7816_add(apdu, cdh->ptr, cdh->len) < 0 ||
- iso7816_add(apdu, &rp_id_hash, sizeof(rp_id_hash)) < 0 ||
- iso7816_add(apdu, &key_id_len, sizeof(key_id_len)) < 0 ||
-@@ -434,6 +437,7 @@ static int
- encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len,
- const uint8_t *pubkey, size_t pubkey_len, fido_blob_t *out)
- {
-+ br_sha256_context ctx;
- uint8_t authdata[AUTHDATA_BASE_SIZE] = {0};
- unsigned char *rp_id_hash;
- uint8_t attcred_raw[ATTCRED_BASE_SIZE] = {0};
-@@ -461,11 +465,9 @@ encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len,
-
- rp_id_hash = (unsigned char *)&authdata[AUTHDATA_RP_ID_HASH];
-
-- if (SHA256((const void *)rp_id, strlen(rp_id),
-- rp_id_hash) != rp_id_hash) {
-- fido_log_debug("%s: sha256", __func__);
-- goto fail;
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, rp_id, strlen(rp_id));
-+ br_sha256_out(&ctx, rp_id_hash);
-
- authdata[AUTHDATA_FLAGS] = (CTAP_AUTHDATA_ATT_CRED |
- CTAP_AUTHDATA_USER_PRESENT);
-@@ -607,8 +609,9 @@ fail:
- int
- u2f_register(fido_dev_t *dev, fido_cred_t *cred, int ms)
- {
-+ br_sha256_context ctx;
- iso7816_apdu_t *apdu = NULL;
-- unsigned char rp_id_hash[SHA256_DIGEST_LENGTH];
-+ unsigned char rp_id_hash[br_sha256_SIZE];
- unsigned char reply[FIDO_MAXMSG];
- int reply_len;
- int found;
-@@ -625,7 +628,7 @@ u2f_register(fido_dev_t *dev, fido_cred_t *cred, int ms)
- }
-
- if (cred->type != COSE_ES256 || cred->cdh.ptr == NULL ||
-- cred->rp.id == NULL || cred->cdh.len != SHA256_DIGEST_LENGTH) {
-+ cred->rp.id == NULL || cred->cdh.len != br_sha256_SIZE) {
- fido_log_debug("%s: type=%d, cdh=(%p,%zu)" , __func__,
- cred->type, (void *)cred->cdh.ptr, cred->cdh.len);
- return (FIDO_ERR_INVALID_ARGUMENT);
-@@ -649,14 +652,12 @@ u2f_register(fido_dev_t *dev, fido_cred_t *cred, int ms)
-
- memset(&rp_id_hash, 0, sizeof(rp_id_hash));
-
-- if (SHA256((const void *)cred->rp.id, strlen(cred->rp.id),
-- rp_id_hash) != rp_id_hash) {
-- fido_log_debug("%s: sha256", __func__);
-- return (FIDO_ERR_INTERNAL);
-- }
-+ br_sha256_init(&ctx);
-+ br_sha256_update(&ctx, cred->rp.id, strlen(cred->rp.id));
-+ br_sha256_out(&ctx, rp_id_hash);
-
- if ((apdu = iso7816_new(U2F_CMD_REGISTER, 0, 2 *
-- SHA256_DIGEST_LENGTH)) == NULL ||
-+ br_sha256_SIZE)) == NULL ||
- iso7816_add(apdu, cred->cdh.ptr, cred->cdh.len) < 0 ||
- iso7816_add(apdu, rp_id_hash, sizeof(rp_id_hash)) < 0) {
- fido_log_debug("%s: iso7816", __func__);
---
-2.26.1
-
diff --git a/pkg/libfido2/ver b/pkg/libfido2/ver
@@ -1 +1 @@
-1.4.0 r0
+1.4.0 r1