git: 128bace5102e - stable/14 - libfido2: update to 1.14.0

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Thu, 01 Aug 2024 16:07:20 UTC
The branch stable/14 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=128bace5102e5871fc0a139bb0a3448a08ea3c13

commit 128bace5102e5871fc0a139bb0a3448a08ea3c13
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-05-04 16:51:08 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-08-01 15:11:45 +0000

    libfido2: update to 1.14.0
    
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 60a517b66a69b8c011b04063ef63a938738719bd)
---
 contrib/libfido2/.actions/build-bsd                |  97 +++++++++++
 contrib/libfido2/.actions/build-linux-clang        |  21 +++
 contrib/libfido2/.actions/build-linux-gcc          |  23 +++
 .../.actions/build-linux-i686-w64-mingw32-gcc      |  58 +++++++
 .../libfido2/.actions/build-linux-openssl3-clang   |  33 ++++
 contrib/libfido2/.actions/build-linux-openssl3-gcc |  28 ++++
 .../build-linux-openssl3-i686-w64-mingw32-gcc      |  59 +++++++
 contrib/libfido2/.actions/build-osx-clang          |  19 +++
 contrib/libfido2/.actions/fuzz-linux               |  93 +++++++++++
 contrib/libfido2/.actions/llvm.gpg                 |  52 ++++++
 contrib/libfido2/.actions/setup_clang              |  17 ++
 contrib/libfido2/.gitattributes                    |   1 +
 .../libfido2/.github/ISSUE_TEMPLATE/bug_report.md  |  80 ++++++++++
 contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml |   8 +
 .../libfido2/.github/workflows/alpine_builds.yml   |  39 +++++
 contrib/libfido2/.github/workflows/bsd_builds.yml  |  32 ++++
 contrib/libfido2/.github/workflows/cifuzz_oss.yml  |  46 ++++++
 .../libfido2/.github/workflows/codeql-analysis.yml |  42 +++++
 .../libfido2/.github/workflows/cygwin_builds.yml   |  30 ++++
 .../libfido2/.github/workflows/linux_builds.yml    |  57 +++++++
 contrib/libfido2/.github/workflows/linux_fuzz.yml  |  41 +++++
 .../libfido2/.github/workflows/macos_builds.yml    |  32 ++++
 contrib/libfido2/.github/workflows/openssl3.yml    |  51 ++++++
 .../libfido2/.github/workflows/windows_builds.yml  |  32 ++++
 contrib/libfido2/.gitignore                        |   9 ++
 contrib/libfido2/CMakeLists.txt                    |   4 +-
 contrib/libfido2/NEWS                              |  10 ++
 contrib/libfido2/README.adoc                       |   2 +-
 contrib/libfido2/examples/README.adoc              |   5 +-
 contrib/libfido2/examples/cred.c                   |  30 +++-
 contrib/libfido2/fuzz/Dockerfile                   |   2 +-
 contrib/libfido2/fuzz/Makefile                     |   2 +-
 contrib/libfido2/fuzz/export.gnu                   |   2 +
 contrib/libfido2/fuzz/functions.txt                |  63 ++++----
 contrib/libfido2/fuzz/fuzz_assert.c                |   4 +-
 contrib/libfido2/fuzz/report.tgz                   | Bin 357005 -> 361946 bytes
 contrib/libfido2/fuzz/summary.txt                  |  18 +--
 contrib/libfido2/man/CMakeLists.txt                |   3 +
 contrib/libfido2/man/fido2-assert.1                |  13 +-
 contrib/libfido2/man/fido2-cred.1                  |  13 +-
 contrib/libfido2/man/fido_assert_new.3             |  14 +-
 contrib/libfido2/man/fido_assert_set_authdata.3    |  59 ++++++-
 contrib/libfido2/regress/assert.c                  |  50 +++++-
 contrib/libfido2/regress/cred.c                    |  18 ++-
 contrib/libfido2/regress/eddsa.c                   |   2 +-
 contrib/libfido2/src/assert.c                      |  68 +++++++-
 contrib/libfido2/src/export.gnu                    |   3 +
 contrib/libfido2/src/export.llvm                   |   3 +
 contrib/libfido2/src/export.msvc                   |   3 +
 contrib/libfido2/src/fido.h                        |   4 +
 contrib/libfido2/src/fido/types.h                  |   2 +
 contrib/libfido2/src/webauthn.h                    | 177 +++++++++++++++++++--
 contrib/libfido2/src/winhello.c                    |  63 +++++++-
 contrib/libfido2/tools/assert_get.c                |  19 ++-
 contrib/libfido2/tools/cred_make.c                 |  20 ++-
 contrib/libfido2/tools/extern.h                    |  19 +--
 contrib/libfido2/tools/fido2-assert.c              |   4 +-
 contrib/libfido2/tools/fido2-cred.c                |   4 +-
 contrib/libfido2/udev/70-u2f.rules                 |  32 +++-
 contrib/libfido2/udev/fidodevs                     |  16 +-
 contrib/libfido2/windows/build.ps1                 |   1 +
 contrib/libfido2/windows/const.ps1                 |  16 +-
 lib/libfido2/Makefile                              |   2 +-
 63 files changed, 1646 insertions(+), 124 deletions(-)

diff --git a/contrib/libfido2/.actions/build-bsd b/contrib/libfido2/.actions/build-bsd
new file mode 100755
index 000000000000..66fc4e3ba281
--- /dev/null
+++ b/contrib/libfido2/.actions/build-bsd
@@ -0,0 +1,97 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+BASE_URL="https://builds.sr.ht"
+MANIFEST="$(mktemp)"
+LOGFILE="$(mktemp)"
+trap '[ -f "${LOGFILE}" ] && cat -- "${LOGFILE}"' EXIT
+
+# construct the sourcehut build manifest
+cat > "${MANIFEST}" <<- EOF
+image: ${IMAGE}
+packages:
+  - cmake
+  - llvm
+  - pcsc-lite
+EOF
+
+case "${IMAGE}" in
+	freebsd*)
+cat >> "${MANIFEST}" <<- EOF
+  - libcbor
+  - pkgconf
+EOF
+	;;
+esac
+
+cat >> "${MANIFEST}" <<- EOF
+sources:
+  - ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}#$(git rev-parse HEAD)
+tasks:
+  - build: |
+      if [ "\$(uname)" = "OpenBSD" ]; then
+        SUDO="doas -u root"
+      else
+        SUDO=sudo
+      fi
+      SCAN="/usr/local/bin/scan-build --use-cc=/usr/bin/cc --status-bugs"
+      cd libfido2
+      for T in Debug Release; do
+        mkdir build-\$T
+        (cd build-\$T && \${SCAN} cmake -DCMAKE_BUILD_TYPE=\$T ..)
+        \${SCAN} make -j"\$(sysctl -n hw.ncpu)" -C build-\$T
+        make -C build-\$T regress
+        \${SUDO} make -C build-\$T install
+      done
+EOF
+
+q() {
+	curl \
+		--silent \
+		--oauth2-bearer "${SOURCEHUT_TOKEN}" \
+		--header "Content-Type: application/json" \
+		--data @- -- \
+		"${BASE_URL}/query" \
+	| tee -a -- "${LOGFILE}"
+}
+
+submit_job() {
+	local manifest="$1"
+	jq \
+		--compact-output --null-input \
+		'{ query: $body, variables: { var: $var } }' \
+		--arg body 'mutation($var: String!) { submit(manifest: $var) { id } }' \
+		--rawfile var "${manifest}" \
+	| q \
+	| jq --exit-status --raw-output '.data.submit.id'
+}
+
+job_status() {
+	local id="$1"
+	jq \
+		--compact-output --null-input \
+		'{ query: $body, variables: { var: $var } }' \
+		--arg body 'query($var: Int!) { job(id: $var) { status } }' \
+		--argjson var "${id}" \
+	| q \
+	| jq --exit-status --raw-output '.data.job.status'
+}
+
+JOB_ID="$(submit_job "${MANIFEST}")" || exit 1
+[ -z "${JOB_ID}" ] && exit 1
+echo "Job '${JOB_ID}' running at ${BASE_URL}/~yubico-libfido2/job/${JOB_ID}"
+
+while true; do
+	JOB_STATUS="$(job_status "${JOB_ID}")" || exit 1
+	case "${JOB_STATUS}" in
+		SUCCESS) exit 0;;
+		FAILED) exit 1;;
+		PENDING|QUEUED|RUNNING) ;;
+		*) exit 1;;
+	esac
+	sleep 60
+done
diff --git a/contrib/libfido2/.actions/build-linux-clang b/contrib/libfido2/.actions/build-linux-clang
new file mode 100755
index 000000000000..ba20f1279ec9
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-clang
@@ -0,0 +1,21 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+SCAN=scan-build${CC#clang}
+
+# Check exports.
+(cd src && ./diff_exports.sh)
+
+# Build, analyze, and install libfido2.
+for T in Debug Release; do
+	mkdir build-$T
+	(cd build-$T && ${SCAN} --use-cc="${CC}" cmake -DCMAKE_BUILD_TYPE=$T ..)
+	${SCAN} --use-cc="${CC}" --status-bugs make -j"$(nproc)" -C build-$T
+	make -C build-$T regress
+	sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/build-linux-gcc b/contrib/libfido2/.actions/build-linux-gcc
new file mode 100755
index 000000000000..cd42b5eb7bed
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-gcc
@@ -0,0 +1,23 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+
+# Build and install libfido2.
+for T in Debug Release; do
+	mkdir build-$T
+	(cd build-$T && cmake -DCMAKE_BUILD_TYPE=$T ..)
+	make -j"$(nproc)" -C build-$T
+	make -C build-$T regress
+	sudo make -C build-$T install
+done
+
+# Check udev/fidodevs.
+[ -x "$(which update-alternatives)" ] && {
+	sudo update-alternatives --set awk "$(which original-awk)"
+}
+udev/check.sh udev/fidodevs
diff --git a/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
new file mode 100755
index 000000000000..a89578da0886
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
@@ -0,0 +1,58 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+# XXX defining CC and cross-compiling confuses OpenSSL's build.
+unset CC
+
+sudo mkdir /fakeroot
+sudo chmod 755 /fakeroot
+
+cat << EOF > /tmp/mingw.cmake
+SET(CMAKE_SYSTEM_NAME Windows)
+SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc)
+SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++)
+SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres)
+SET(CMAKE_FIND_ROOT_PATH /fakeroot)
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+EOF
+
+# Build and install libcbor.
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+cd libcbor
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+	-DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -j"$(nproc)" -C build
+sudo make -C build install
+cd ..
+
+# Build and install OpenSSL 1.1.1w.
+git clone --depth=1 https://github.com/openssl/openssl -b OpenSSL_1_1_1w
+cd openssl
+./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
+	--cross-compile-prefix=i686-w64-mingw32-
+make -j"$(nproc)"
+sudo make install_sw
+cd ..
+
+# Build and install zlib.
+git clone --depth=1 https://github.com/madler/zlib -b v1.3
+cd zlib
+make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
+sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \
+	INCLUDE_PATH=/include LIBRARY_PATH=/lib BINARY_PATH=/bin install
+cd ..
+
+# Build and install libfido2.
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+	-DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -j"$(nproc)" -C build
+sudo make -C build install
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-clang b/contrib/libfido2/.actions/build-linux-openssl3-clang
new file mode 100755
index 000000000000..2383e51ad8f5
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-openssl3-clang
@@ -0,0 +1,33 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+SCAN=scan-build${CC#clang}
+FAKEROOT="$(mktemp -d)"
+
+# Check exports.
+(cd src && ./diff_exports.sh)
+
+# Build and install OpenSSL 3.0.12.
+git clone --branch openssl-3.0.12 \
+	--depth=1 https://github.com/openssl/openssl
+cd openssl
+./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \
+	--openssldir="${FAKEROOT}/openssl" --libdir=lib
+make install_sw
+cd ..
+
+# Build, analyze, and install libfido2.
+for T in Debug Release; do
+	mkdir build-$T
+	export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
+	(cd build-$T && ${SCAN} --use-cc="${CC}" \
+		cmake -DCMAKE_BUILD_TYPE=$T ..)
+	${SCAN} --use-cc="${CC}" --status-bugs make -C build-$T
+	make -C build-$T regress
+	sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-gcc b/contrib/libfido2/.actions/build-linux-openssl3-gcc
new file mode 100755
index 000000000000..344fc12bce8c
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-openssl3-gcc
@@ -0,0 +1,28 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+FAKEROOT="$(mktemp -d)"
+
+# Build and install OpenSSL 3.0.12.
+git clone --branch openssl-3.0.12 \
+	--depth=1 https://github.com/openssl/openssl
+cd openssl
+./Configure linux-x86_64 --prefix="${FAKEROOT}" \
+	--openssldir="${FAKEROOT}/openssl" --libdir=lib
+make install_sw
+cd ..
+
+# Build and install libfido2.
+for T in Debug Release; do
+	mkdir build-$T
+	export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
+	(cd build-$T && cmake -DCMAKE_BUILD_TYPE=$T ..)
+	make -j"$(nproc)" -C build-$T
+	make -C build-$T regress
+	sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
new file mode 100755
index 000000000000..3bbb141dad0d
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
@@ -0,0 +1,59 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+# XXX defining CC and cross-compiling confuses OpenSSL's build.
+unset CC
+
+sudo mkdir /fakeroot
+sudo chmod 755 /fakeroot
+
+cat << EOF > /tmp/mingw.cmake
+SET(CMAKE_SYSTEM_NAME Windows)
+SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc)
+SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++)
+SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres)
+SET(CMAKE_FIND_ROOT_PATH /fakeroot)
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+EOF
+
+# Build and install libcbor.
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+cd libcbor
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+	-DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -j"$(nproc)" -C build
+sudo make -C build install
+cd ..
+
+# Build and install OpenSSL 3.0.11.
+git clone --branch openssl-3.0.12 \
+	--depth=1 https://github.com/openssl/openssl
+cd openssl
+./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
+	--cross-compile-prefix=i686-w64-mingw32- --libdir=lib
+make -j"$(nproc)"
+sudo make install_sw
+cd ..
+
+# Build and install zlib.
+git clone --depth=1 https://github.com/madler/zlib -b v1.3
+cd zlib
+make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
+sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \
+	INCLUDE_PATH=/include LIBRARY_PATH=/lib BINARY_PATH=/bin install
+cd ..
+
+# Build and install libfido2.
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+	-DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -C build 2>&1
+sudo make -C build install
diff --git a/contrib/libfido2/.actions/build-osx-clang b/contrib/libfido2/.actions/build-osx-clang
new file mode 100755
index 000000000000..b4beea221315
--- /dev/null
+++ b/contrib/libfido2/.actions/build-osx-clang
@@ -0,0 +1,19 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+export PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig"
+SCAN="$(brew --prefix llvm)/bin/scan-build"
+
+# Build, analyze, and install libfido2.
+for T in Debug Release; do
+	mkdir build-$T
+	(cd build-$T && ${SCAN} cmake -DCMAKE_BUILD_TYPE=$T ..)
+	${SCAN} --status-bugs make -j"$(sysctl -n hw.ncpu)" -C build-$T
+	make -C build-$T man_symlink_html
+	make -C build-$T regress
+	sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/fuzz-linux b/contrib/libfido2/.actions/fuzz-linux
new file mode 100755
index 000000000000..3f57ac40ff4b
--- /dev/null
+++ b/contrib/libfido2/.actions/fuzz-linux
@@ -0,0 +1,93 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2020-2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+LIBCBOR_URL="https://github.com/pjk/libcbor"
+LIBCBOR_TAG="v0.10.2"
+LIBCBOR_ASAN="address alignment bounds"
+LIBCBOR_MSAN="memory"
+OPENSSL_URL="https://github.com/openssl/openssl"
+OPENSSL_TAG="openssl-3.0.12"
+ZLIB_URL="https://github.com/madler/zlib"
+ZLIB_TAG="v1.3"
+ZLIB_ASAN="address alignment bounds undefined"
+ZLIB_MSAN="memory"
+FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak"
+FIDO2_ASAN="${FIDO2_ASAN} pointer-compare pointer-subtract undefined"
+FIDO2_MSAN="fuzzer-no-link memory"
+COMMON_CFLAGS="-g2 -fno-omit-frame-pointer"
+COMMON_CFLAGS="${COMMON_CFLAGS} -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
+UBSAN_OPTIONS="halt_on_error=1:print_stacktrace=1:strict_string_checks=1"
+ASAN_OPTIONS="${UBSAN_OPTIONS}:detect_invalid_pointer_pairs=2:detect_leaks=1"
+MSAN_OPTIONS="${UBSAN_OPTIONS}"
+
+case "$1" in
+asan)
+	LIBCBOR_CFLAGS="-fsanitize=$(echo "${LIBCBOR_ASAN}" | tr ' ' ',')"
+	ZLIB_CFLAGS="-fsanitize=$(echo "${ZLIB_ASAN}" | tr ' ' ',')"
+	FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_ASAN}" | tr ' ' ',')"
+	FIDO2_CFLAGS="${FIDO2_CFLAGS} -fsanitize-address-use-after-scope"
+	;;
+msan)
+	LIBCBOR_CFLAGS="-fsanitize=$(echo "${LIBCBOR_MSAN}" | tr ' ' ',')"
+	ZLIB_CFLAGS="-fsanitize=$(echo "${ZLIB_MSAN}" | tr ' ' ',')"
+	FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_MSAN}" | tr ' ' ',')"
+	FIDO2_CFLAGS="${FIDO2_CFLAGS} -fsanitize-memory-track-origins"
+	;;
+*)
+	echo "unknown sanitiser \"$1\"" 1>&2 && exit 1
+esac
+
+${CC} --version
+WORKDIR="${WORKDIR:-$(pwd)}"
+FAKEROOT="${FAKEROOT:-$(mktemp -d)}"
+cd "${FAKEROOT}"
+
+# libcbor
+git clone --depth=1 "${LIBCBOR_URL}" -b "${LIBCBOR_TAG}"
+cd libcbor
+patch -p0 -s < "${WORKDIR}/fuzz/README"
+mkdir build
+(cd build && cmake -DBUILD_SHARED_LIBS=ON -DCMAKE_BUILD_TYPE=Debug \
+    -DCMAKE_C_FLAGS_DEBUG="${LIBCBOR_CFLAGS} ${COMMON_CFLAGS}" \
+    -DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_INSTALL_PREFIX="${FAKEROOT}" \
+    -DSANITIZE=OFF ..)
+make VERBOSE=1 -j"$(nproc)" -C build all install
+cd -
+
+# openssl
+git clone --depth=1 "${OPENSSL_URL}" -b "${OPENSSL_TAG}"
+cd openssl
+./Configure linux-x86_64-clang "enable-$1" --prefix="${FAKEROOT}" \
+    --openssldir="${FAKEROOT}/openssl" --libdir=lib
+make install_sw
+cd -
+
+# zlib
+git clone --depth=1 "${ZLIB_URL}" -b "${ZLIB_TAG}"
+cd zlib
+CFLAGS="${ZLIB_CFLAGS}" LDFLAGS="${ZLIB_CFLAGS}" ./configure \
+    --prefix="${FAKEROOT}"
+make install
+cd -
+
+# libfido2
+mkdir build
+export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
+(cd build && cmake -DCMAKE_BUILD_TYPE=Debug \
+    -DCMAKE_C_FLAGS_DEBUG="${FIDO2_CFLAGS} ${COMMON_CFLAGS}" -DFUZZ=ON \
+    -DFUZZ_LDFLAGS="-fsanitize=fuzzer" "${WORKDIR}")
+make -j"$(nproc)" -C build
+
+# fuzz
+mkdir corpus
+curl -s https://storage.googleapis.com/yubico-libfido2/corpus.tgz |
+    tar -C corpus -zxf -
+export UBSAN_OPTIONS ASAN_OPTIONS MSAN_OPTIONS
+for f in assert bio cred credman hid largeblob mgmt netlink pcsc; do
+	build/fuzz/fuzz_${f} -use_value_profile=1 -reload=30 -print_pcs=1 \
+	    -print_funcs=30 -timeout=10 -runs=1 corpus/fuzz_${f}
+done
diff --git a/contrib/libfido2/.actions/llvm.gpg b/contrib/libfido2/.actions/llvm.gpg
new file mode 100644
index 000000000000..aa6b105aa3d7
--- /dev/null
+++ b/contrib/libfido2/.actions/llvm.gpg
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQINBFE9lCwBEADi0WUAApM/mgHJRU8lVkkw0CHsZNpqaQDNaHefD6Rw3S4LxNmM
+EZaOTkhP200XZM8lVdbfUW9xSjA3oPldc1HG26NjbqqCmWpdo2fb+r7VmU2dq3NM
+R18ZlKixiLDE6OUfaXWKamZsXb6ITTYmgTO6orQWYrnW6ckYHSeaAkW0wkDAryl2
+B5v8aoFnQ1rFiVEMo4NGzw4UX+MelF7rxaaregmKVTPiqCOSPJ1McC1dHFN533FY
+Wh/RVLKWo6npu+owtwYFQW+zyQhKzSIMvNujFRzhIxzxR9Gn87MoLAyfgKEzrbbT
+DhqqNXTxS4UMUKCQaO93TzetX/EBrRpJj+vP640yio80h4Dr5pAd7+LnKwgpTDk1
+G88bBXJAcPZnTSKu9I2c6KY4iRNbvRz4i+ZdwwZtdW4nSdl2792L7Sl7Nc44uLL/
+ZqkKDXEBF6lsX5XpABwyK89S/SbHOytXv9o4puv+65Ac5/UShspQTMSKGZgvDauU
+cs8kE1U9dPOqVNCYq9Nfwinkf6RxV1k1+gwtclxQuY7UpKXP0hNAXjAiA5KS5Crq
+7aaJg9q2F4bub0mNU6n7UI6vXguF2n4SEtzPRk6RP+4TiT3bZUsmr+1ktogyOJCc
+Ha8G5VdL+NBIYQthOcieYCBnTeIH7D3Sp6FYQTYtVbKFzmMK+36ERreL/wARAQAB
+tD1TeWx2ZXN0cmUgTGVkcnUgLSBEZWJpYW4gTExWTSBwYWNrYWdlcyA8c3lsdmVz
+dHJlQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRPZQsAhsDBgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRAVz00Yr090Ibx+EADArS/hvkDF8juWMXxh17CgR0WZlHCC
+9CTBWkg5a0bNN/3bb97cPQt/vIKWjQtkQpav6/5JTVCSx2riL4FHYhH0iuo4iAPR
+udC7Cvg8g7bSPrKO6tenQZNvQm+tUmBHgFiMBJi92AjZ/Qn1Shg7p9ITivFxpLyX
+wpmnF1OKyI2Kof2rm4BFwfSWuf8Fvh7kDMRLHv+MlnK/7j/BNpKdozXxLcwoFBmn
+l0WjpAH3OFF7Pvm1LJdf1DjWKH0Dc3sc6zxtmBR/KHHg6kK4BGQNnFKujcP7TVdv
+gMYv84kun14pnwjZcqOtN3UJtcx22880DOQzinoMs3Q4w4o05oIF+sSgHViFpc3W
+R0v+RllnH05vKZo+LDzc83DQVrdwliV12eHxrMQ8UYg88zCbF/cHHnlzZWAJgftg
+hB08v1BKPgYRUzwJ6VdVqXYcZWEaUJmQAPuAALyZESw94hSo28FAn0/gzEc5uOYx
+K+xG/lFwgAGYNb3uGM5m0P6LVTfdg6vDwwOeTNIExVk3KVFXeSQef2ZMkhwA7wya
+KJptkb62wBHFE+o9TUdtMCY6qONxMMdwioRE5BYNwAsS1PnRD2+jtlI0DzvKHt7B
+MWd8hnoUKhMeZ9TNmo+8CpsAtXZcBho0zPGz/R8NlJhAWpdAZ1CmcPo83EW86Yq7
+BxQUKnNHcwj2ebkCDQRRPZQsARAA4jxYmbTHwmMjqSizlMJYNuGOpIidEdx9zQ5g
+zOr431/VfWq4S+VhMDhs15j9lyml0y4ok215VRFwrAREDg6UPMr7ajLmBQGau0Fc
+bvZJ90l4NjXp5p0NEE/qOb9UEHT7EGkEhaZ1ekkWFTWCgsy7rRXfZLxB6sk7pzLC
+DshyW3zjIakWAnpQ5j5obiDy708pReAuGB94NSyb1HoW/xGsGgvvCw4r0w3xPStw
+F1PhmScE6NTBIfLliea3pl8vhKPlCh54Hk7I8QGjo1ETlRP4Qll1ZxHJ8u25f/ta
+RES2Aw8Hi7j0EVcZ6MT9JWTI83yUcnUlZPZS2HyeWcUj+8nUC8W4N8An+aNps9l/
+21inIl2TbGo3Yn1JQLnA1YCoGwC34g8QZTJhElEQBN0X29ayWW6OdFx8MDvllbBV
+ymmKq2lK1U55mQTfDli7S3vfGz9Gp/oQwZ8bQpOeUkc5hbZszYwP4RX+68xDPfn+
+M9udl+qW9wu+LyePbW6HX90LmkhNkkY2ZzUPRPDHZANU5btaPXc2H7edX4y4maQa
+xenqD0lGh9LGz/mps4HEZtCI5CY8o0uCMF3lT0XfXhuLksr7Pxv57yue8LLTItOJ
+d9Hmzp9G97SRYYeqU+8lyNXtU2PdrLLq7QHkzrsloG78lCpQcalHGACJzrlUWVP/
+fN3Ht3kAEQEAAYkCHwQYAQIACQUCUT2ULAIbDAAKCRAVz00Yr090IbhWEADbr50X
+OEXMIMGRLe+YMjeMX9NG4jxs0jZaWHc/WrGR+CCSUb9r6aPXeLo+45949uEfdSsB
+pbaEdNWxF5Vr1CSjuO5siIlgDjmT655voXo67xVpEN4HhMrxugDJfCa6z97P0+ML
+PdDxim57uNqkam9XIq9hKQaurxMAECDPmlEXI4QT3eu5qw5/knMzDMZj4Vi6hovL
+wvvAeLHO/jsyfIdNmhBGU2RWCEZ9uo/MeerPHtRPfg74g+9PPfP6nyHD2Wes6yGd
+oVQwtPNAQD6Cj7EaA2xdZYLJ7/jW6yiPu98FFWP74FN2dlyEA2uVziLsfBrgpS4l
+tVOlrO2YzkkqUGrybzbLpj6eeHx+Cd7wcjI8CalsqtL6cG8cUEjtWQUHyTbQWAgG
+5VPEgIAVhJ6RTZ26i/G+4J8neKyRs4vz+57UGwY6zI4AB1ZcWGEE3Bf+CDEDgmnP
+LSwbnHefK9IljT9XU98PelSryUO/5UPw7leE0akXKB4DtekToO226px1VnGp3Bov
+1GBGvpHvL2WizEwdk+nfk8LtrLzej+9FtIcq3uIrYnsac47Pf7p0otcFeTJTjSq3
+krCaoG4Hx0zGQG2ZFpHrSrZTVy6lxvIdfi0beMgY6h78p6M9eYZHQHc02DjFkQXN
+bXb5c6gCHESH5PXwPU4jQEE7Ib9J6sbk7ZT2Mw==
+=j+4q
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/contrib/libfido2/.actions/setup_clang b/contrib/libfido2/.actions/setup_clang
new file mode 100755
index 000000000000..be06709c88b6
--- /dev/null
+++ b/contrib/libfido2/.actions/setup_clang
@@ -0,0 +1,17 @@
+#!/bin/sh -eu
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+CC="$1"
+APT="http://apt.llvm.org"
+CODENAME="$(lsb_release -cs)"
+VERSION="${CC#*-}"
+apt-get install -q -y software-properties-common
+apt-key add ./.actions/llvm.gpg
+add-apt-repository \
+    "deb ${APT}/${CODENAME}/ llvm-toolchain-${CODENAME}-${VERSION} main"
+apt-get update -q
+apt-get install -q -y "${CC}" "clang-tools-${VERSION}"
diff --git a/contrib/libfido2/.gitattributes b/contrib/libfido2/.gitattributes
new file mode 100644
index 000000000000..998f601da4d0
--- /dev/null
+++ b/contrib/libfido2/.gitattributes
@@ -0,0 +1 @@
+.* export-ignore
diff --git a/contrib/libfido2/.github/ISSUE_TEMPLATE/bug_report.md b/contrib/libfido2/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 000000000000..6e88c1ff8006
--- /dev/null
+++ b/contrib/libfido2/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,80 @@
+---
+name: Bug report
+labels: 'bug report'
+about: Report a bug in libfido2
+
+---
+
+<!--
+
+Please use the questions below as a template, and review your answers
+for potentially sensitive information.
+
+Thank you!
+
+-->
+
+**What version of libfido2 are you using?**
+
+**What operating system are you running?**
+
+**What application are you using in conjunction with libfido2?**
+
+**How does the problem manifest itself?**
+
+**Is the problem reproducible?**
+
+**What are the steps that lead to the problem?**
+
+**Does the problem happen with different authenticators?**
+
+<!--
+
+fido2-token is provided by the fido2-tools package on Debian and Ubuntu,
+and shipped with libfido2 in macOS (Homebrew), Arch Linux, and Windows.
+
+-->
+
+**Please include the output of `fido2-token -L`.**
+
+<details>
+<summary><code>fido2-token -L</code></summary>
+<br>
+<pre>
+$ fido2-token -L
+
+</pre>
+</details>
+
+**Please include the output of `fido2-token -I`.**
+
+<details>
+<summary><code>fido2-token -I</code></summary>
+<br>
+<pre>
+$ fido2-token -I &lt;device&gt;
+
+</pre>
+</details>
+
+<!--
+
+You are strongly encouraged to only capture debug output using test
+credentials. Failure to do so can disclose sensitive information.
+
+-->
+
+**Please include the output of `FIDO_DEBUG=1`.**
+
+<details>
+<summary><code>FIDO_DEBUG=1</code></summary>
+<br>
+<pre>
+$ export FIDO_DEBUG=1
+$ &lt;command1&gt;
+$ &lt;command2&gt;
+(...)
+$ &lt;commandn&gt;
+
+</pre>
+</details>
diff --git a/contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml b/contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 000000000000..3ecb227ffeb0
--- /dev/null
+++ b/contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Feature Request
+    url: https://github.com/Yubico/libfido2/discussions/new
+    about: Share ideas for new features
+  - name: Ask a question about libfido2
+    url: https://github.com/Yubico/libfido2/discussions/new
+    about: Ask the community for help
diff --git a/contrib/libfido2/.github/workflows/alpine_builds.yml b/contrib/libfido2/.github/workflows/alpine_builds.yml
new file mode 100644
index 000000000000..c6d826f39835
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/alpine_builds.yml
@@ -0,0 +1,39 @@
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: alpine
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    - '*-ci'
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    container: alpine:latest
+    strategy:
+      fail-fast: false
+      matrix:
+        cc: [ gcc, clang ]
+    steps:
+    - name: dependencies
+      run: |
+        apk -q update
+        apk add build-base clang clang-analyzer cmake coreutils eudev-dev
+        apk add git linux-headers openssl-dev sudo zlib-dev pcsc-lite-dev \
+          libcbor-dev
+    - name: fix permissions on workdir
+      run: chown root:wheel "${GITHUB_WORKSPACE}"
+    - name: checkout libfido2
+      uses: actions/checkout@v4
+    - name: build libfido2
+      env:
+        CC: ${{ matrix.cc }}
+      run: ./.actions/build-linux-${CC}
diff --git a/contrib/libfido2/.github/workflows/bsd_builds.yml b/contrib/libfido2/.github/workflows/bsd_builds.yml
new file mode 100644
index 000000000000..366ea2141aca
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/bsd_builds.yml
@@ -0,0 +1,32 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: bsd
+
+on:
+  push:
+    branches:
+    - main
+    - '*-ci'
+
+jobs:
+  build:
+    if: github.repository == 'Yubico/libfido2'
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [freebsd/13.x, openbsd/7.2]
+    steps:
+    - uses: actions/checkout@v4
+    - name: dependencies
+      run: |
+        sudo apt -q update
+        sudo apt install -q -y curl jq
+    - name: build
+      env:
+        IMAGE: ${{ matrix.image }}
+        SOURCEHUT_TOKEN: ${{ secrets.SOURCEHUT_TOKEN }}
+      run: ./.actions/build-bsd
diff --git a/contrib/libfido2/.github/workflows/cifuzz_oss.yml b/contrib/libfido2/.github/workflows/cifuzz_oss.yml
new file mode 100644
index 000000000000..556d5ad36f7c
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/cifuzz_oss.yml
@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: cifuzz
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    - '*-ci'
+
+jobs:
+  fuzzing:
+    if: github.repository == 'Yubico/libfido2'
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory]
+    steps:
+    - name: build fuzzers (${{ matrix.sanitizer }})
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'libfido2'
+        language: c
+        sanitizer: ${{ matrix.sanitizer }}
+        dry-run: false
+    - name: run fuzzers (${{ matrix.sanitizer }})
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'libfido2'
+        language: c
+        sanitizer: ${{ matrix.sanitizer }}
+        fuzz-seconds: 600
+        dry-run: false
+    - name: upload crash
+      uses: actions/upload-artifact@v3
+      if: failure()
+      with:
+        name: ${{ matrix.sanitizer }}-artifacts
+        path: ./out/artifacts
diff --git a/contrib/libfido2/.github/workflows/codeql-analysis.yml b/contrib/libfido2/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000000..a3a8d54d2daa
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,42 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: "codeql"
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    - '*-ci'
+  schedule:
+    - cron: '0 0 * * 0'
+
+permissions:
+  security-events: write
+
+jobs:
+  codeql-build:
+    if: github.repository == 'Yubico/libfido2'
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
+    - name: init codeql
+      uses: github/codeql-action/init@v2
+    - name: build
+      env:
+        CC: gcc
+      run: |
+        sudo apt -q update
+        sudo apt install -q -y libcbor-dev libudev-dev libz-dev original-awk \
+         libpcsclite-dev
+        ./.actions/build-linux-gcc
+    - name: perform codeql analysis
+      uses: github/codeql-action/analyze@v2
diff --git a/contrib/libfido2/.github/workflows/cygwin_builds.yml b/contrib/libfido2/.github/workflows/cygwin_builds.yml
new file mode 100644
index 000000000000..d8146c54904e
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/cygwin_builds.yml
@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: cygwin
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    - '*-ci'
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ windows-2022 ]
+        arch: [ x64 ]
+        config: [ "Debug", "Release" ]
+    steps:
+    - uses: actions/checkout@v4
+    - name: build
+      run: |
+        .\windows\cygwin.ps1 -Config ${{ matrix.config }}
diff --git a/contrib/libfido2/.github/workflows/linux_builds.yml b/contrib/libfido2/.github/workflows/linux_builds.yml
new file mode 100644
index 000000000000..ec911cb92d92
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/linux_builds.yml
@@ -0,0 +1,57 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: linux
+
+on:
*** 2233 LINES SKIPPED ***