git: 079a1c2059e7 - stable/13 - libfido2: update to 1.10.0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 21 Jul 2023 15:38:39 UTC
The branch stable/13 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=079a1c2059e7cc19360ff6840317efefdff876a1
commit 079a1c2059e7cc19360ff6840317efefdff876a1
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-05-05 23:57:34 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-07-21 14:41:42 +0000
libfido2: update to 1.10.0
Some highlights from NEWS:
** bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*();
gh#480.
** New API calls:
- fido_dev_info_set;
- fido_dev_io_handle;
- fido_dev_new_with_info;
- fido_dev_open_with_info.
** Documentation and reliability fixes.
** Support for TPM 2.0 attestation of COSE_ES256 credentials.
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 3e696dfb7009cd8ffa12e36f48f4339bb7a2048d)
---
contrib/libfido2/CMakeLists.txt | 47 +-
contrib/libfido2/LICENSE | 2 +-
contrib/libfido2/NEWS | 14 +
contrib/libfido2/README.adoc | 4 +-
contrib/libfido2/SECURITY.md | 5 +
contrib/libfido2/examples/README.adoc | 2 +-
contrib/libfido2/fuzz/Dockerfile | 2 +-
contrib/libfido2/fuzz/Makefile | 2 +-
contrib/libfido2/fuzz/export.gnu | 1 +
contrib/libfido2/fuzz/functions.txt | 35 +-
contrib/libfido2/fuzz/fuzz_hid.c | 11 +-
contrib/libfido2/fuzz/report.tgz | Bin 320981 -> 323706 bytes
contrib/libfido2/fuzz/summary.txt | 14 +-
contrib/libfido2/man/CMakeLists.txt | 17 +-
contrib/libfido2/man/check.sh | 42 ++
contrib/libfido2/man/eddsa_pk_new.3 | 4 +-
contrib/libfido2/man/es256_pk_new.3 | 8 +-
contrib/libfido2/man/fido2-assert.1 | 6 +-
contrib/libfido2/man/fido2-cred.1 | 6 +-
contrib/libfido2/man/fido2-token.1 | 24 +-
contrib/libfido2/man/fido_assert_allow_cred.3 | 4 +-
contrib/libfido2/man/fido_assert_new.3 | 95 ++--
contrib/libfido2/man/fido_assert_set_authdata.3 | 57 ++-
contrib/libfido2/man/fido_assert_verify.3 | 6 +-
contrib/libfido2/man/fido_bio_dev_get_info.3 | 2 +-
contrib/libfido2/man/fido_bio_enroll_new.3 | 4 +-
contrib/libfido2/man/fido_bio_info_new.3 | 2 +-
contrib/libfido2/man/fido_bio_template.3 | 4 +-
contrib/libfido2/man/fido_cbor_info_new.3 | 3 +-
contrib/libfido2/man/fido_cred_exclude.3 | 2 +-
contrib/libfido2/man/fido_cred_new.3 | 10 +-
contrib/libfido2/man/fido_cred_set_authdata.3 | 20 +-
contrib/libfido2/man/fido_cred_verify.3 | 44 +-
contrib/libfido2/man/fido_credman_metadata_new.3 | 6 +-
contrib/libfido2/man/fido_dev_enable_entattest.3 | 6 +-
contrib/libfido2/man/fido_dev_get_assert.3 | 6 +-
contrib/libfido2/man/fido_dev_get_touch_begin.3 | 4 +-
contrib/libfido2/man/fido_dev_info_manifest.3 | 41 +-
contrib/libfido2/man/fido_dev_largeblob_get.3 | 10 +-
contrib/libfido2/man/fido_dev_make_cred.3 | 6 +-
contrib/libfido2/man/fido_dev_open.3 | 71 ++-
contrib/libfido2/man/fido_dev_set_io_functions.3 | 81 +++-
contrib/libfido2/man/fido_dev_set_pin.3 | 2 +-
contrib/libfido2/man/fido_init.3 | 28 +-
contrib/libfido2/man/fido_strerr.3 | 2 +-
contrib/libfido2/man/rs256_pk_new.3 | 4 +-
contrib/libfido2/regress/cred.c | 576 ++++++++++++++++++++++-
contrib/libfido2/src/CMakeLists.txt | 2 +-
contrib/libfido2/src/bio.c | 4 +-
contrib/libfido2/src/cbor.c | 1 -
contrib/libfido2/src/dev.c | 7 +
contrib/libfido2/src/eddsa.c | 6 +-
contrib/libfido2/src/export.gnu | 4 +
contrib/libfido2/src/export.llvm | 4 +
contrib/libfido2/src/export.msvc | 4 +
contrib/libfido2/src/extern.h | 1 -
contrib/libfido2/src/fido.h | 8 +-
contrib/libfido2/src/fido/types.h | 4 +-
contrib/libfido2/src/hid.c | 56 ++-
contrib/libfido2/src/hid_osx.c | 62 ++-
contrib/libfido2/src/hid_win.c | 2 +-
contrib/libfido2/src/tpm.c | 144 +++++-
contrib/libfido2/src/webauthn.h | 88 +++-
contrib/libfido2/src/winhello.c | 171 ++++---
contrib/libfido2/tools/test.sh | 6 +-
contrib/libfido2/windows/build.ps1 | 2 +-
contrib/libfido2/windows/const.ps1 | 6 +-
contrib/libfido2/windows/cygwin.gpg | Bin 0 -> 2193 bytes
contrib/libfido2/windows/cygwin.ps1 | 68 +++
contrib/libfido2/windows/release.ps1 | 19 +-
lib/libfido2/Makefile | 2 +-
71 files changed, 1639 insertions(+), 374 deletions(-)
diff --git a/contrib/libfido2/CMakeLists.txt b/contrib/libfido2/CMakeLists.txt
index d775a98c5b48..11a51ac5a645 100644
--- a/contrib/libfido2/CMakeLists.txt
+++ b/contrib/libfido2/CMakeLists.txt
@@ -9,7 +9,7 @@ project(libfido2 C)
cmake_minimum_required(VERSION 3.0)
# Set PIE flags for POSITION_INDEPENDENT_CODE targets, added in CMake 3.14.
if(POLICY CMP0083)
- cmake_policy(SET CMP0083 NEW)
+ cmake_policy(SET CMP0083 NEW)
endif()
include(CheckCCompilerFlag)
@@ -21,14 +21,14 @@ include(CheckTypeSize)
include(GNUInstallDirs)
include(CheckPIESupported OPTIONAL RESULT_VARIABLE CHECK_PIE_SUPPORTED)
if(CHECK_PIE_SUPPORTED)
- check_pie_supported(LANGUAGES C)
+ check_pie_supported(LANGUAGES C)
endif()
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
set(CMAKE_COLOR_MAKEFILE OFF)
set(CMAKE_VERBOSE_MAKEFILE ON)
set(FIDO_MAJOR "1")
-set(FIDO_MINOR "9")
+set(FIDO_MINOR "10")
set(FIDO_PATCH "0")
set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
@@ -40,16 +40,15 @@ option(BUILD_TOOLS "Build tool programs" ON)
option(FUZZ "Enable fuzzing instrumentation" OFF)
option(LIBFUZZER "Build libfuzzer harnesses" OFF)
option(USE_HIDAPI "Use hidapi as the HID backend" OFF)
-option(USE_WINHELLO "Abstract Windows Hello as a FIDO device" OFF)
-option(NFC_LINUX "Experimental NFC support on Linux" OFF)
+option(USE_WINHELLO "Abstract Windows Hello as a FIDO device" ON)
+option(NFC_LINUX "Enable NFC support on Linux" ON)
add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR})
add_definitions(-D_FIDO_MINOR=${FIDO_MINOR})
add_definitions(-D_FIDO_PATCH=${FIDO_PATCH})
-if(CYGWIN OR MSYS)
+if(CYGWIN OR MSYS OR MINGW)
set(WIN32 1)
- add_definitions(-DWINVER=0x0a00)
endif()
if(WIN32)
@@ -68,12 +67,13 @@ if(NOT MSVC)
set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_DARWIN_C_SOURCE")
set(FIDO_CFLAGS "${FIDO_CFLAGS} -D__STDC_WANT_LIB_EXT1__=1")
elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
- set(NFC_LINUX ON)
set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_GNU_SOURCE")
set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_DEFAULT_SOURCE")
elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD" OR
CMAKE_SYSTEM_NAME STREQUAL "MidnightBSD")
set(FIDO_CFLAGS "${FIDO_CFLAGS} -D__BSD_VISIBLE=1")
+ elseif(CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
+ set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_NETBSD_SOURCE")
endif()
set(FIDO_CFLAGS "${FIDO_CFLAGS} -std=c99")
set(CMAKE_C_FLAGS "${FIDO_CFLAGS} ${CMAKE_C_FLAGS}")
@@ -167,12 +167,13 @@ if(MSVC)
endif()
set(CBOR_LIBRARIES cbor)
set(ZLIB_LIBRARIES zlib)
- set(CRYPTO_LIBRARIES crypto-46)
+ set(CRYPTO_LIBRARIES crypto-47)
set(MSVC_DISABLED_WARNINGS_LIST
"C4152" # nonstandard extension used: function/data pointer
# conversion in expression;
"C4200" # nonstandard extension used: zero-sized array in
# struct/union;
+ "C4201" # nonstandard extension used: nameless struct/union;
"C4204" # nonstandard extension used: non-constant aggregate
# initializer;
"C4706" # assignment within conditional expression;
@@ -188,8 +189,10 @@ if(MSVC)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 -WX ${MSVC_DISABLED_WARNINGS_STR}")
set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} /Od /Z7 /guard:cf /sdl /RTCcsu")
set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} /Zi /guard:cf /sdl")
- add_definitions(-DUSE_WINHELLO)
- set(USE_WINHELLO ON)
+ if(USE_WINHELLO)
+ add_definitions(-DUSE_WINHELLO)
+ endif()
+ set(NFC_LINUX OFF)
else()
include(FindPkgConfig)
pkg_search_module(CBOR libcbor)
@@ -223,6 +226,8 @@ else()
set(BASE_LIBRARIES ${BASE_LIBRARIES} rt)
endif()
endif()
+ else()
+ set(NFC_LINUX OFF)
endif()
if(MINGW)
@@ -238,14 +243,18 @@ else()
set(HIDAPI_LIBRARIES hidapi${HIDAPI_SUFFIX})
endif()
- if(FUZZ)
- set(NFC_LINUX ON)
- endif()
-
if(NFC_LINUX)
add_definitions(-DNFC_LINUX)
endif()
+ if(WIN32)
+ if(USE_WINHELLO)
+ add_definitions(-DUSE_WINHELLO)
+ endif()
+ else()
+ set(USE_WINHELLO OFF)
+ endif()
+
add_compile_options(-Wall)
add_compile_options(-Wextra)
add_compile_options(-Werror)
@@ -257,6 +266,10 @@ else()
add_compile_options(-pedantic)
add_compile_options(-pedantic-errors)
+ if(WIN32)
+ add_compile_options(-Wno-type-limits)
+ add_compile_options(-Wno-cast-function-type)
+ endif()
if(HAVE_SHORTEN_64_TO_32)
add_compile_options(-Wshorten-64-to-32)
endif()
@@ -306,10 +319,10 @@ elseif(NOT MSVC)
# clang/gcc + gnu ld
if(FUZZ)
string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS}
- " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/export.gnu")
+ " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/export.gnu")
else()
string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS}
- " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/src/export.gnu")
+ " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/src/export.gnu")
endif()
if(NOT WIN32)
string(CONCAT CMAKE_SHARED_LINKER_FLAGS
diff --git a/contrib/libfido2/LICENSE b/contrib/libfido2/LICENSE
index 4224f20992c0..75a03f87e3af 100644
--- a/contrib/libfido2/LICENSE
+++ b/contrib/libfido2/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2018-2021 Yubico AB. All rights reserved.
+Copyright (c) 2018-2022 Yubico AB. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
diff --git a/contrib/libfido2/NEWS b/contrib/libfido2/NEWS
index 04cda4e0e83a..a48b685156c1 100644
--- a/contrib/libfido2/NEWS
+++ b/contrib/libfido2/NEWS
@@ -1,3 +1,17 @@
+* Version 1.10.0 (2022-01-17)
+ ** hid_osx: handle devices with paths > 511 bytes; gh#462.
+ ** bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
+ ** winhello: fallback to GetTopWindow() if GetForegroundWindow() fails.
+ ** winhello: fallback to hid_win.c if webauthn.dll isn't available.
+ ** New API calls:
+ - fido_dev_info_set;
+ - fido_dev_io_handle;
+ - fido_dev_new_with_info;
+ - fido_dev_open_with_info.
+ ** Cygwin and NetBSD build fixes.
+ ** Documentation and reliability fixes.
+ ** Support for TPM 2.0 attestation of COSE_ES256 credentials.
+
* Version 1.9.0 (2021-10-27)
** Enabled NFC support on Linux.
** Added OpenSSL 3.0 compatibility.
diff --git a/contrib/libfido2/README.adoc b/contrib/libfido2/README.adoc
index a0e188bf8774..114cc5eed762 100644
--- a/contrib/libfido2/README.adoc
+++ b/contrib/libfido2/README.adoc
@@ -10,7 +10,7 @@ image:https://oss-fuzz-build-logs.storage.googleapis.com/badges/libfido2.svg["Fu
communicate with a FIDO device over USB, and to verify attestation and
assertion signatures.
-*libfido2* supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.
+*libfido2* supports the FIDO U2F (CTAP 1) and FIDO2 (CTAP 2) protocols.
For usage, see the `examples/` directory.
@@ -42,7 +42,7 @@ is also available.
==== Releases
-The current release of *libfido2* is 1.9.0. Please consult Yubico's
+The current release of *libfido2* is 1.10.0. Please consult Yubico's
https://developers.yubico.com/libfido2/Releases[release page] for source
and binary releases.
diff --git a/contrib/libfido2/SECURITY.md b/contrib/libfido2/SECURITY.md
new file mode 100644
index 000000000000..e12a48a847ba
--- /dev/null
+++ b/contrib/libfido2/SECURITY.md
@@ -0,0 +1,5 @@
+# Reporting libfido2 Security Issues
+
+To report security issues in libfido2, please contact security@yubico.com.
+A PGP public key can be found at
+https://www.yubico.com/support/security-advisories/issue-rating-system/.
diff --git a/contrib/libfido2/examples/README.adoc b/contrib/libfido2/examples/README.adoc
index bcecb22f5258..44ee52743a0d 100644
--- a/contrib/libfido2/examples/README.adoc
+++ b/contrib/libfido2/examples/README.adoc
@@ -25,7 +25,7 @@ The following definitions are used in the description below:
- <blobkey>
- A credential's associated FIDO 2.1 "largeBlob" symmetric key.
+ A credential's associated CTAP 2.1 "largeBlob" symmetric key.
=== Description
diff --git a/contrib/libfido2/fuzz/Dockerfile b/contrib/libfido2/fuzz/Dockerfile
index f175991d0462..aefe1980ada4 100644
--- a/contrib/libfido2/fuzz/Dockerfile
+++ b/contrib/libfido2/fuzz/Dockerfile
@@ -7,6 +7,6 @@ ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update
RUN apt-get install -y clang-12 cmake git libssl-dev libudev-dev make pkg-config
RUN apt-get install -y zlib1g-dev
-RUN git clone --branch v0.8.0 https://github.com/PJK/libcbor
+RUN git clone --branch v0.9.0 https://github.com/PJK/libcbor
RUN git clone https://github.com/yubico/libfido2
RUN CC=clang-12 CXX=clang++-12 /libfido2/fuzz/build-coverage /libcbor /libfido2
diff --git a/contrib/libfido2/fuzz/Makefile b/contrib/libfido2/fuzz/Makefile
index 1a974a2bf557..ce3fee73c69c 100644
--- a/contrib/libfido2/fuzz/Makefile
+++ b/contrib/libfido2/fuzz/Makefile
@@ -2,7 +2,7 @@
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
-IMAGE := libfido2-coverage:1.9.1
+IMAGE := libfido2-coverage:1.10.0
RUNNER := libfido2-runner
PROFDATA := llvm-profdata-12
COV := llvm-cov-12
diff --git a/contrib/libfido2/fuzz/export.gnu b/contrib/libfido2/fuzz/export.gnu
index 0c712b30a429..cac142ae970e 100644
--- a/contrib/libfido2/fuzz/export.gnu
+++ b/contrib/libfido2/fuzz/export.gnu
@@ -201,6 +201,7 @@
fido_dev_info_product;
fido_dev_info_product_string;
fido_dev_info_ptr;
+ fido_dev_info_set;
fido_dev_info_vendor;
fido_dev_is_fido2;
fido_dev_major;
diff --git a/contrib/libfido2/fuzz/functions.txt b/contrib/libfido2/fuzz/functions.txt
index 886893b1d11d..946682d07d00 100644
--- a/contrib/libfido2/fuzz/functions.txt
+++ b/contrib/libfido2/fuzz/functions.txt
@@ -172,7 +172,7 @@ cbor_array_iter 12 0 100.00% 16 0
cbor_parse_reply 27 0 100.00% 36 0 100.00%
cbor_vector_free 6 0 100.00% 5 0 100.00%
cbor_bytestring_copy 14 0 100.00% 18 0 100.00%
-cbor_string_copy 14 1 92.86% 18 3 83.33%
+cbor_string_copy 14 0 100.00% 18 0 100.00%
cbor_add_bytestring 14 0 100.00% 21 0 100.00%
cbor_add_string 14 0 100.00% 21 0 100.00%
cbor_add_bool 14 0 100.00% 21 0 100.00%
@@ -200,7 +200,7 @@ cbor_decode_uint64 4 0 100.00% 8 0
cbor_decode_cred_id 8 0 100.00% 9 0 100.00%
cbor_decode_user 8 0 100.00% 9 0 100.00%
cbor_decode_rp_entity 8 0 100.00% 9 0 100.00%
-cbor_build_uint 10 4 60.00% 9 4 55.56%
+cbor_build_uint 10 1 90.00% 9 2 77.78%
cbor_array_append 17 0 100.00% 21 0 100.00%
cbor_array_drop 18 2 88.89% 17 3 82.35%
cbor.c:ctap_check_cbor 28 0 100.00% 26 0 100.00%
@@ -209,7 +209,7 @@ cbor.c:cbor_add_arg 13 0 100.00% 21 0
cbor.c:cbor_add_uint8 14 0 100.00% 21 0 100.00%
cbor.c:cbor_encode_largeblob_key_ext 6 0 100.00% 6 0 100.00%
cbor.c:cbor_encode_hmac_secret_param 59 4 93.22% 66 8 87.88%
-cbor.c:get_cose_alg 36 1 97.22% 38 3 92.11%
+cbor.c:get_cose_alg 36 0 100.00% 38 0 100.00%
cbor.c:find_cose_alg 35 0 100.00% 33 0 100.00%
cbor.c:decode_attcred 25 0 100.00% 44 0 100.00%
cbor.c:decode_cred_extensions 14 0 100.00% 24 0 100.00%
@@ -222,7 +222,7 @@ cbor.c:decode_cred_id_entry 10 0 100.00% 19 0
cbor.c:decode_user_entry 25 0 100.00% 35 0 100.00%
cbor.c:decode_rp_entity_entry 15 0 100.00% 25 0 100.00%
------------------------------------------------------------------------------------------------------------------
-TOTAL 1047 28 97.33% 1237 54 95.63%
+TOTAL 1047 23 97.80% 1237 46 96.28%
File '/libfido2/src/compress.c':
Name Regions Miss Cover Lines Miss Cover
@@ -386,6 +386,7 @@ fido_dev_get_touch_begin 50 0 100.00% 59
fido_dev_get_touch_status 17 0 100.00% 20 0 100.00%
fido_dev_set_io_functions 18 4 77.78% 14 6 57.14%
fido_dev_set_transport_functions 6 2 66.67% 9 3 66.67%
+fido_dev_io_handle 1 1 0.00% 3 3 0.00%
fido_init 8 1 87.50% 5 0 100.00%
fido_dev_new 5 0 100.00% 14 0 100.00%
fido_dev_new_with_info 10 10 0.00% 16 16 0.00%
@@ -419,7 +420,7 @@ dev.c:fido_dev_set_extension_flags 7 0 100.00% 7
dev.c:fido_dev_set_option_flags 29 0 100.00% 18 0 100.00%
dev.c:fido_dev_set_protocol_flags 11 0 100.00% 17 0 100.00%
-------------------------------------------------------------------------------------------------------------------
-TOTAL 420 78 81.43% 488 102 79.10%
+TOTAL 421 79 81.24% 491 105 78.62%
File '/libfido2/src/ecdh.c':
Name Regions Miss Cover Lines Miss Cover
@@ -493,8 +494,9 @@ Name Regions Miss Cover Lines Mis
fido_hid_get_usage 13 0 100.00% 22 0 100.00%
fido_hid_get_report_len 19 0 100.00% 27 0 100.00%
fido_dev_info_new 1 0 100.00% 3 0 100.00%
-fido_dev_info_free 9 0 100.00% 14 0 100.00%
+fido_dev_info_free 9 0 100.00% 9 0 100.00%
fido_dev_info_ptr 1 0 100.00% 3 0 100.00%
+fido_dev_info_set 26 2 92.31% 30 3 90.00%
fido_dev_info_path 1 0 100.00% 3 0 100.00%
fido_dev_info_vendor 1 0 100.00% 3 0 100.00%
fido_dev_info_product 1 0 100.00% 3 0 100.00%
@@ -502,8 +504,9 @@ fido_dev_info_manufacturer_string 1 0 100.00% 3
fido_dev_info_product_string 1 0 100.00% 3 0 100.00%
hid.c:get_key_len 6 0 100.00% 12 0 100.00%
hid.c:get_key_val 6 0 100.00% 18 0 100.00%
+hid.c:fido_dev_info_reset 1 0 100.00% 6 0 100.00%
-------------------------------------------------------------------------------------------------------------------
-TOTAL 60 0 100.00% 114 0 100.00%
+TOTAL 87 2 97.70% 145 3 97.93%
File '/libfido2/src/hid_linux.c':
Name Regions Miss Cover Lines Miss Cover
@@ -612,7 +615,7 @@ File '/libfido2/src/largeblob.c':
Name Regions Miss Cover Lines Miss Cover
-------------------------------------------------------------------------------------------------------------------
fido_dev_largeblob_get 26 2 92.31% 38 4 89.47%
-fido_dev_largeblob_set 27 2 92.59% 36 4 88.89%
+fido_dev_largeblob_set 27 0 100.00% 36 0 100.00%
fido_dev_largeblob_remove 12 0 100.00% 18 0 100.00%
fido_dev_largeblob_get_array 15 2 86.67% 27 4 85.19%
fido_dev_largeblob_set_array 14 0 100.00% 19 0 100.00%
@@ -642,7 +645,7 @@ largeblob.c:largeblob_get_uv_token 19 0 100.00% 23
largeblob.c:largeblob_set_tx 35 0 100.00% 36 0 100.00%
largeblob.c:prepare_hmac 13 2 84.62% 23 7 69.57%
-------------------------------------------------------------------------------------------------------------------
-TOTAL 513 21 95.91% 684 47 93.13%
+TOTAL 513 19 96.30% 684 43 93.71%
File '/libfido2/src/log.c':
Name Regions Miss Cover Lines Miss Cover
@@ -783,11 +786,11 @@ TOTAL 24 0 100.00% 23
File '/libfido2/src/rs1.c':
Name Regions Miss Cover Lines Miss Cover
---------------------------------------------------------------------------------------------------------------------
-rs1_verify_sig 20 1 95.00% 30 3 90.00%
+rs1_verify_sig 20 0 100.00% 30 0 100.00%
rs1.c:rs1_get_EVP_MD 4 0 100.00% 6 0 100.00%
rs1.c:rs1_free_EVP_MD 1 0 100.00% 3 0 100.00%
---------------------------------------------------------------------------------------------------------------------
-TOTAL 25 1 96.00% 39 3 92.31%
+TOTAL 25 0 100.00% 39 0 100.00%
File '/libfido2/src/rs256.c':
Name Regions Miss Cover Lines Miss Cover
@@ -820,15 +823,17 @@ TOTAL 43 3 93.02% 43
File '/libfido2/src/tpm.c':
Name Regions Miss Cover Lines Miss Cover
---------------------------------------------------------------------------------------------------------------------
-fido_get_signed_hash_tpm 20 0 100.00% 25 0 100.00%
-tpm.c:check_rsa2048_pubarea 16 0 100.00% 28 0 100.00%
-tpm.c:bswap_rsa2048_pubarea 1 0 100.00% 10 0 100.00%
+fido_get_signed_hash_tpm 25 0 100.00% 39 0 100.00%
+tpm.c:check_es256_pubarea 18 0 100.00% 30 0 100.00%
+tpm.c:bswap_es256_pubarea 1 0 100.00% 12 0 100.00%
+tpm.c:check_rs256_pubarea 16 0 100.00% 28 0 100.00%
+tpm.c:bswap_rs256_pubarea 1 0 100.00% 10 0 100.00%
tpm.c:check_sha1_certinfo 14 0 100.00% 38 0 100.00%
tpm.c:get_signed_sha1 17 0 100.00% 19 0 100.00%
tpm.c:get_signed_name 7 0 100.00% 10 0 100.00%
tpm.c:bswap_sha1_certinfo 1 0 100.00% 8 0 100.00%
---------------------------------------------------------------------------------------------------------------------
-TOTAL 76 0 100.00% 138 0 100.00%
+TOTAL 100 0 100.00% 194 0 100.00%
File '/libfido2/src/types.c':
Name Regions Miss Cover Lines Miss Cover
diff --git a/contrib/libfido2/fuzz/fuzz_hid.c b/contrib/libfido2/fuzz/fuzz_hid.c
index 556e62ac4cd3..eaf00dc92de8 100644
--- a/contrib/libfido2/fuzz/fuzz_hid.c
+++ b/contrib/libfido2/fuzz/fuzz_hid.c
@@ -175,15 +175,20 @@ static void
manifest(const struct param *p)
{
size_t ndevs, nfound;
- fido_dev_info_t *devlist;
+ fido_dev_info_t *devlist = NULL, *devlist_set = NULL;
int16_t vendor_id, product_id;
+ fido_dev_io_t io;
+ fido_dev_transport_t t;
+ memset(&io, 0, sizeof(io));
+ memset(&t, 0, sizeof(t));
set_netlink_io_functions(fd_read, fd_write);
set_wire_data(p->netlink_wiredata.body, p->netlink_wiredata.len);
set_udev_parameters(p->uevent, &p->report_descriptor);
ndevs = uniform_random(64);
if ((devlist = fido_dev_info_new(ndevs)) == NULL ||
+ (devlist_set = fido_dev_info_new(1)) == NULL ||
fido_dev_info_manifest(devlist, ndevs, &nfound) != FIDO_OK)
goto out;
for (size_t i = 0; i < nfound; i++) {
@@ -195,9 +200,13 @@ manifest(const struct param *p)
product_id = fido_dev_info_product(di);
consume(&vendor_id, sizeof(vendor_id));
consume(&product_id, sizeof(product_id));
+ fido_dev_info_set(devlist_set, 0, fido_dev_info_path(di),
+ fido_dev_info_manufacturer_string(di),
+ fido_dev_info_product_string(di), &io, &t);
}
out:
fido_dev_info_free(&devlist, ndevs);
+ fido_dev_info_free(&devlist_set, 1);
}
void
diff --git a/contrib/libfido2/fuzz/report.tgz b/contrib/libfido2/fuzz/report.tgz
index cf74f315cb80..d78f4628de59 100644
Binary files a/contrib/libfido2/fuzz/report.tgz and b/contrib/libfido2/fuzz/report.tgz differ
diff --git a/contrib/libfido2/fuzz/summary.txt b/contrib/libfido2/fuzz/summary.txt
index 298c8377379f..05c000aa7757 100644
--- a/contrib/libfido2/fuzz/summary.txt
+++ b/contrib/libfido2/fuzz/summary.txt
@@ -16,33 +16,33 @@ src/authkey.c 44 0 100.00%
src/bio.c 419 20 95.23% 49 2 95.92% 559 21 96.24%
src/blob.c 53 2 96.23% 10 0 100.00% 83 4 95.18%
src/buf.c 8 1 87.50% 2 0 100.00% 16 1 93.75%
-src/cbor.c 1047 28 97.33% 54 0 100.00% 1237 54 95.63%
+src/cbor.c 1047 23 97.80% 54 0 100.00% 1237 46 96.28%
src/compress.c 34 4 88.24% 3 0 100.00% 28 3 89.29%
src/config.c 108 0 100.00% 11 0 100.00% 151 0 100.00%
src/cred.c 632 34 94.62% 69 2 97.10% 830 36 95.66%
src/credman.c 382 10 97.38% 40 0 100.00% 518 15 97.10%
-src/dev.c 420 78 81.43% 44 6 86.36% 488 102 79.10%
+src/dev.c 421 79 81.24% 45 7 84.44% 491 105 78.62%
src/ecdh.c 117 2 98.29% 4 0 100.00% 146 5 96.58%
src/eddsa.c 80 3 96.25% 10 0 100.00% 106 8 92.45%
src/err.c 122 10 91.80% 1 0 100.00% 126 10 92.06%
src/es256.c 306 5 98.37% 19 0 100.00% 358 7 98.04%
-src/hid.c 60 0 100.00% 12 0 100.00% 114 0 100.00%
+src/hid.c 87 2 97.70% 14 0 100.00% 145 3 97.93%
src/hid_linux.c 173 68 60.69% 14 7 50.00% 250 104 58.40%
src/hid_unix.c 28 20 28.57% 2 0 100.00% 43 24 44.19%
src/info.c 184 0 100.00% 39 0 100.00% 316 0 100.00%
src/io.c 182 7 96.15% 13 0 100.00% 221 11 95.02%
src/iso7816.c 18 1 94.44% 5 0 100.00% 38 0 100.00%
-src/largeblob.c 513 21 95.91% 30 0 100.00% 684 47 93.13%
+src/largeblob.c 513 19 96.30% 30 0 100.00% 684 43 93.71%
src/log.c 39 5 87.18% 7 1 85.71% 63 4 93.65%
src/netlink.c 328 14 95.73% 40 0 100.00% 498 32 93.57%
src/nfc_linux.c 327 73 77.68% 23 5 78.26% 458 124 72.93%
src/pin.c 403 3 99.26% 26 0 100.00% 495 3 99.39%
src/random.c 6 1 83.33% 1 0 100.00% 6 1 83.33%
src/reset.c 24 0 100.00% 3 0 100.00% 23 0 100.00%
-src/rs1.c 25 1 96.00% 3 0 100.00% 39 3 92.31%
+src/rs1.c 25 0 100.00% 3 0 100.00% 39 0 100.00%
src/rs256.c 141 8 94.33% 13 0 100.00% 172 10 94.19%
src/time.c 43 3 93.02% 3 0 100.00% 43 1 97.67%
-src/tpm.c 76 0 100.00% 7 0 100.00% 138 0 100.00%
+src/tpm.c 100 0 100.00% 9 0 100.00% 194 0 100.00%
src/types.c 25 0 100.00% 6 0 100.00% 46 0 100.00%
src/u2f.c 528 4 99.24% 17 0 100.00% 685 12 98.25%
@@ -54,4 +54,4 @@ src/fido.h 0 0 -
src/fido/err.h 0 0 - 0 0 - 0 0 -
src/fido/param.h 0 0 - 0 0 - 0 0 -
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-TOTAL 7809 481 93.84% 679 26 96.17% 10180 708 93.05%
+TOTAL 7861 476 93.94% 684 27 96.05% 10270 699 93.19%
diff --git a/contrib/libfido2/man/CMakeLists.txt b/contrib/libfido2/man/CMakeLists.txt
index 3e50c50d37a0..5ce2fc7b83ed 100644
--- a/contrib/libfido2/man/CMakeLists.txt
+++ b/contrib/libfido2/man/CMakeLists.txt
@@ -44,6 +44,7 @@ list(APPEND MAN_SOURCES
list(APPEND MAN_ALIAS
eddsa_pk_new eddsa_pk_free
+ eddsa_pk_new eddsa_pk_from_EVP_PKEY
eddsa_pk_new eddsa_pk_from_ptr
eddsa_pk_new eddsa_pk_to_EVP_PKEY
es256_pk_new es256_pk_free
@@ -75,6 +76,7 @@ list(APPEND MAN_ALIAS
fido_assert_new fido_assert_user_id_len
fido_assert_new fido_assert_user_id_ptr
fido_assert_new fido_assert_user_name
+ fido_assert_set_authdata fido_assert_set_authdata_raw
fido_assert_set_authdata fido_assert_set_clientdata
fido_assert_set_authdata fido_assert_set_clientdata_hash
fido_assert_set_authdata fido_assert_set_count
@@ -117,8 +119,8 @@ list(APPEND MAN_ALIAS
fido_cbor_info_new fido_cbor_info_free
fido_cbor_info_new fido_cbor_info_maxmsgsiz
fido_cbor_info_new fido_cbor_info_maxcredbloblen
- fido_cbor_info_new fido_cbor_info_maxcredcntlst;
- fido_cbor_info_new fido_cbor_info_maxcredidlen;
+ fido_cbor_info_new fido_cbor_info_maxcredcntlst
+ fido_cbor_info_new fido_cbor_info_maxcredidlen
fido_cbor_info_new fido_cbor_info_fwversion
fido_cbor_info_new fido_cbor_info_options_len
fido_cbor_info_new fido_cbor_info_options_name_ptr
@@ -163,6 +165,7 @@ list(APPEND MAN_ALIAS
fido_cred_new fido_cred_user_name
fido_cred_new fido_cred_x5c_len
fido_cred_new fido_cred_x5c_ptr
+ fido_cred_verify fido_cred_verify_self
fido_credman_metadata_new fido_credman_del_dev_rk
fido_credman_metadata_new fido_credman_get_dev_metadata
fido_credman_metadata_new fido_credman_get_dev_rk
@@ -211,6 +214,7 @@ list(APPEND MAN_ALIAS
fido_dev_info_manifest fido_dev_info_product
fido_dev_info_manifest fido_dev_info_product_string
fido_dev_info_manifest fido_dev_info_ptr
+ fido_dev_info_manifest fido_dev_info_set
fido_dev_info_manifest fido_dev_info_vendor
fido_dev_open fido_dev_build
fido_dev_open fido_dev_cancel
@@ -219,26 +223,33 @@ list(APPEND MAN_ALIAS
fido_dev_open fido_dev_force_fido2
fido_dev_open fido_dev_force_u2f
fido_dev_open fido_dev_free
+ fido_dev_open fido_dev_has_pin
+ fido_dev_open fido_dev_has_uv
fido_dev_open fido_dev_is_fido2
fido_dev_open fido_dev_is_winhello
fido_dev_open fido_dev_major
fido_dev_open fido_dev_minor
fido_dev_open fido_dev_new
+ fido_dev_open fido_dev_new_with_info
+ fido_dev_open fido_dev_open_with_info
fido_dev_open fido_dev_protocol
fido_dev_open fido_dev_supports_cred_prot
fido_dev_open fido_dev_supports_credman
+ fido_dev_open fido_dev_supports_permissions
fido_dev_open fido_dev_supports_pin
fido_dev_open fido_dev_supports_uv
- fido_dev_open fido_dev_has_uv
fido_dev_set_pin fido_dev_get_retry_count
fido_dev_set_pin fido_dev_get_uv_retry_count
fido_dev_set_pin fido_dev_reset
+ fido_dev_set_io_functions fido_dev_io_handle
fido_dev_set_io_functions fido_dev_set_sigmask
fido_dev_set_io_functions fido_dev_set_timeout
+ fido_dev_set_io_functions fido_dev_set_transport_functions
fido_dev_largeblob_get fido_dev_largeblob_set
fido_dev_largeblob_get fido_dev_largeblob_remove
fido_dev_largeblob_get fido_dev_largeblob_get_array
fido_dev_largeblob_get fido_dev_largeblob_set_array
+ fido_init fido_set_log_handler
rs256_pk_new rs256_pk_free
rs256_pk_new rs256_pk_from_ptr
rs256_pk_new rs256_pk_from_EVP_PKEY
diff --git a/contrib/libfido2/man/check.sh b/contrib/libfido2/man/check.sh
new file mode 100755
index 000000000000..951afeb88e0b
--- /dev/null
+++ b/contrib/libfido2/man/check.sh
@@ -0,0 +1,42 @@
+#!/bin/sh -u
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+T=$(mktemp -d) || exit 1
+find . -maxdepth 1 -type f -name '*.3' -print0 > "$T/files"
+
+xargs -0 awk '/^.Sh NAME/,/^.Nd/' < "$T/files" | \
+ awk '/^.Nm/ { print $2 }' | sort -u > "$T/Nm"
+xargs -0 awk '/^.Fn/ { print $2 }' < "$T/files" | sort -u > "$T/Fn"
+(cd "$T" && diff -u Nm Fn)
+
+cut -c2- ../src/export.llvm | sort > "$T/exports"
+(cd "$T" && diff -u Nm exports)
+
+awk '/^list\(APPEND MAN_SOURCES/,/^\)/' CMakeLists.txt | \
+ awk '/.3$/ { print $1 }' | sort > "$T/listed_sources"
+xargs -0 -n1 basename < "$T/files" | sort > "$T/actual_sources"
+(cd "$T" && diff -u listed_sources actual_sources)
+
+awk '/^list\(APPEND MAN_ALIAS/,/^\)/' CMakeLists.txt | \
+ sed '1d;$d' | awk '{ print $1, $2 }' | sort > "$T/listed_aliases"
+xargs -0 grep -o "^.Fn [A-Za-z0-9_]* \"" < "$T/files" | \
+ cut -c3- | sed 's/\.3:\.Fn//;s/ "//' | awk '$1 != $2' | \
+ sort > "$T/actual_aliases"
+(cd "$T" && diff -u listed_aliases actual_aliases)
+
+xargs -0 grep -hB1 "^.Fn [A-Za-z0-9_]* \"" < "$T/files" | \
+ sed -E 's/^.F[tn] //;s/\*[^"\*]+"/\*"/g;s/ [^" \*]+"/"/g;/^--$/d' | \
+ paste -d " " - - | sed 's/\* /\*/' | sort > "$T/documented_prototypes"
+while read -r f; do
+ awk "/\/\*/ { next } /$f\(/,/;/" ../src/fido.h ../src/fido/*.h | \
+ sed -E 's/^[ ]+//;s/[ ]+/ /' | tr '\n' ' ' | \
+ sed 's/(/ "/;s/, /" "/g;s/);/"/;s/ $/\n/'
+done < "$T/exports" | sort > "$T/actual_prototypes"
+(cd "$T" && diff -u documented_prototypes actual_prototypes)
+
+(cd "$T" && rm files Nm Fn exports listed_sources actual_sources \
+ listed_aliases actual_aliases documented_prototypes actual_prototypes)
+rmdir -- "$T"
diff --git a/contrib/libfido2/man/eddsa_pk_new.3 b/contrib/libfido2/man/eddsa_pk_new.3
index 65bf9a9f753d..998def484790 100644
--- a/contrib/libfido2/man/eddsa_pk_new.3
+++ b/contrib/libfido2/man/eddsa_pk_new.3
@@ -11,7 +11,7 @@
.Nm eddsa_pk_from_EVP_PKEY ,
.Nm eddsa_pk_from_ptr ,
.Nm eddsa_pk_to_EVP_PKEY
-.Nd FIDO 2 COSE EDDSA API
+.Nd FIDO2 COSE EDDSA API
.Sh SYNOPSIS
.In openssl/evp.h
.In fido/eddsa.h
@@ -106,7 +106,7 @@ If an error occurs,
returns NULL.
.Sh RETURN VALUES
The
-.Fn eddsa_pk_from_EC_KEY
+.Fn eddsa_pk_from_EVP_PKEY
and
.Fn eddsa_pk_from_ptr
functions return
diff --git a/contrib/libfido2/man/es256_pk_new.3 b/contrib/libfido2/man/es256_pk_new.3
index 6c1bac0f57f9..5e184340a575 100644
--- a/contrib/libfido2/man/es256_pk_new.3
+++ b/contrib/libfido2/man/es256_pk_new.3
@@ -9,10 +9,10 @@
.Nm es256_pk_new ,
.Nm es256_pk_free ,
.Nm es256_pk_from_EC_KEY ,
-.Nm es256_pk_from_EVP_KEY ,
+.Nm es256_pk_from_EVP_PKEY ,
.Nm es256_pk_from_ptr ,
.Nm es256_pk_to_EVP_PKEY
-.Nd FIDO 2 COSE ES256 API
+.Nd FIDO2 COSE ES256 API
.Sh SYNOPSIS
.In openssl/ec.h
.In fido/es256.h
@@ -82,7 +82,7 @@ No references to
are kept.
.Pp
The
-.Fn es256_pk_from_EVP_KEY
+.Fn es256_pk_from_EVP_PKEY
function fills
.Fa pk
with the contents of
@@ -124,7 +124,7 @@ returns NULL.
.Sh RETURN VALUES
The
.Fn es256_pk_from_EC_KEY ,
-.Fn es256_pk_from_EVP_KEY ,
+.Fn es256_pk_from_EVP_PKEY ,
and
.Fn es256_pk_from_ptr
functions return
diff --git a/contrib/libfido2/man/fido2-assert.1 b/contrib/libfido2/man/fido2-assert.1
index da47d6f19dd3..ee8135c18483 100644
--- a/contrib/libfido2/man/fido2-assert.1
+++ b/contrib/libfido2/man/fido2-assert.1
@@ -7,7 +7,7 @@
.Os
.Sh NAME
.Nm fido2-assert
-.Nd get/verify a FIDO 2 assertion
+.Nd get/verify a FIDO2 assertion
.Sh SYNOPSIS
.Nm
.Fl G
@@ -24,7 +24,7 @@
.Op Ar type
.Sh DESCRIPTION
.Nm
-gets or verifies a FIDO 2 assertion.
+gets or verifies a FIDO2 assertion.
.Pp
The input of
.Nm
@@ -117,7 +117,7 @@ will not expect a credential id in its input, and may output
multiple assertions.
Resident credentials are called
.Dq discoverable credentials
-in FIDO 2.1.
+in CTAP 2.1.
.It Fl t Ar option
Toggles a key/value
.Ar option ,
diff --git a/contrib/libfido2/man/fido2-cred.1 b/contrib/libfido2/man/fido2-cred.1
index 301564d688e5..0b10e74a0507 100644
--- a/contrib/libfido2/man/fido2-cred.1
+++ b/contrib/libfido2/man/fido2-cred.1
@@ -7,7 +7,7 @@
.Os
.Sh NAME
.Nm fido2-cred
-.Nd make/verify a FIDO 2 credential
+.Nd make/verify a FIDO2 credential
.Sh SYNOPSIS
.Nm
.Fl M
@@ -26,7 +26,7 @@
.Op Ar type
.Sh DESCRIPTION
.Nm
-makes or verifies a FIDO 2 credential.
+makes or verifies a FIDO2 credential.
.Pp
A credential
.Ar type
@@ -143,7 +143,7 @@ will fail.
Create a resident credential.
Resident credentials are called
.Dq discoverable credentials
-in FIDO 2.1.
+in CTAP 2.1.
.It Fl u
Create a U2F credential.
By default,
diff --git a/contrib/libfido2/man/fido2-token.1 b/contrib/libfido2/man/fido2-token.1
index fd82c23cffb7..1aa2feb86859 100644
--- a/contrib/libfido2/man/fido2-token.1
+++ b/contrib/libfido2/man/fido2-token.1
@@ -7,7 +7,7 @@
.Os
.Sh NAME
.Nm fido2-token
-.Nd find and manage a FIDO 2 authenticator
+.Nd find and manage a FIDO2 authenticator
.Sh SYNOPSIS
.Nm
.Fl C
@@ -121,7 +121,7 @@
.Fl V
.Sh DESCRIPTION
.Nm
-manages a FIDO 2 authenticator.
+manages a FIDO2 authenticator.
.Pp
The options are as follows:
.Bl -tag -width Ds
@@ -176,12 +176,12 @@ where
is the enrollment's template base64-encoded id.
The user will be prompted for the PIN.
.It Fl D Fl u Ar device
-Disables the FIDO 2.1
+Disables the CTAP 2.1
.Dq user verification always
feature on
.Ar device .
.It Fl G Fl b Fl k Ar key_path Ar blob_path Ar device
-Gets a FIDO 2.1
+Gets a CTAP 2.1
.Dq largeBlob
encrypted with
.Ar key_path
@@ -194,7 +194,7 @@ The blob is written to
.Ar blob_path .
A PIN or equivalent user-verification gesture is required.
.It Fl G Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device
-Gets a FIDO 2.1
+Gets a CTAP 2.1
.Dq largeBlob
associated with
.Ar rp_id
@@ -234,7 +234,7 @@ The user will be prompted for the PIN.
.It Fl L
Produces a list of authenticators found by the operating system.
.It Fl L Fl b Ar device
-Produces a list of FIDO 2.1
+Produces a list of CTAP 2.1
.Dq largeBlobs
on
.Ar device .
@@ -264,12 +264,12 @@ Sets the PIN of
.Ar device .
The user will be prompted for the PIN.
.It Fl S Fl a Ar device
-Enables FIDO 2.1 Enterprise Attestation on
+Enables CTAP 2.1 Enterprise Attestation on
.Ar device .
.It Fl S Fl b Fl k Ar key_path Ar blob_path Ar device
Sets
.Ar blob_path
-as a FIDO 2.1
+as a CTAP 2.1
.Dq largeBlob
encrypted with
.Ar key_path
@@ -284,7 +284,7 @@ A PIN or equivalent user-verification gesture is required.
.It Fl S Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device
Sets
.Ar blob_path
-as a FIDO 2.1
+as a CTAP 2.1
.Dq largeBlob
associated with
.Ar rp_id
@@ -353,7 +353,7 @@ the minimum PIN length of
Multiple IDs may be specified, separated by commas.
The user will be prompted for the PIN.
.It Fl S Fl u Ar device
-Enables the FIDO 2.1
+Enables the CTAP 2.1
.Dq user verification always
feature on
.Ar device .
@@ -392,9 +392,9 @@ An authenticator's path may contain spaces.
.Pp
Resident credentials are called
.Dq discoverable credentials
-in FIDO 2.1.
+in CTAP 2.1.
.Pp
-Whether the FIDO 2.1
+Whether the CTAP 2.1
.Dq user verification always
feature is activated or deactivated after an authenticator reset
is vendor-specific.
diff --git a/contrib/libfido2/man/fido_assert_allow_cred.3 b/contrib/libfido2/man/fido_assert_allow_cred.3
index bbe6e4d8929a..7fd730c3f63c 100644
--- a/contrib/libfido2/man/fido_assert_allow_cred.3
+++ b/contrib/libfido2/man/fido_assert_allow_cred.3
@@ -7,7 +7,7 @@
.Os
.Sh NAME
.Nm fido_assert_allow_cred
-.Nd appends a credential ID to the list of credentials allowed in an assertion
+.Nd allow a credential in a FIDO2 assertion
.Sh SYNOPSIS
.In fido.h
.Ft int
@@ -31,7 +31,7 @@ If
.Fn fido_assert_allow_cred
fails, the existing list of allowed credentials is preserved.
.Pp
-For the format of a FIDO 2 credential ID, please refer to the
+For the format of a FIDO2 credential ID, please refer to the
Web Authentication (webauthn) standard.
.Sh RETURN VALUES
The error codes returned by
diff --git a/contrib/libfido2/man/fido_assert_new.3 b/contrib/libfido2/man/fido_assert_new.3
index 16f4e3a6e46d..a1a3c101ba33 100644
--- a/contrib/libfido2/man/fido_assert_new.3
+++ b/contrib/libfido2/man/fido_assert_new.3
@@ -31,7 +31,7 @@
.Nm fido_assert_id_len ,
.Nm fido_assert_sigcount ,
.Nm fido_assert_flags
-.Nd FIDO 2 assertion API
+.Nd FIDO2 assertion API
.Sh SYNOPSIS
.In fido.h
.Ft fido_assert_t *
@@ -85,9 +85,12 @@
.Ft uint8_t
.Fn fido_assert_flags "const fido_assert_t *assert" "size_t idx"
.Sh DESCRIPTION
-FIDO 2 assertions are abstracted in
-.Em libfido2
-by the
+A FIDO2 assertion is a collection of statements, each statement a
+map between a challenge, a credential, a signature, and ancillary
+attributes.
+In
*** 3261 LINES SKIPPED ***