git: 128bace5102e - stable/14 - libfido2: update to 1.14.0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 01 Aug 2024 16:07:20 UTC
The branch stable/14 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=128bace5102e5871fc0a139bb0a3448a08ea3c13
commit 128bace5102e5871fc0a139bb0a3448a08ea3c13
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-05-04 16:51:08 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-08-01 15:11:45 +0000
libfido2: update to 1.14.0
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 60a517b66a69b8c011b04063ef63a938738719bd)
---
contrib/libfido2/.actions/build-bsd | 97 +++++++++++
contrib/libfido2/.actions/build-linux-clang | 21 +++
contrib/libfido2/.actions/build-linux-gcc | 23 +++
.../.actions/build-linux-i686-w64-mingw32-gcc | 58 +++++++
.../libfido2/.actions/build-linux-openssl3-clang | 33 ++++
contrib/libfido2/.actions/build-linux-openssl3-gcc | 28 ++++
.../build-linux-openssl3-i686-w64-mingw32-gcc | 59 +++++++
contrib/libfido2/.actions/build-osx-clang | 19 +++
contrib/libfido2/.actions/fuzz-linux | 93 +++++++++++
contrib/libfido2/.actions/llvm.gpg | 52 ++++++
contrib/libfido2/.actions/setup_clang | 17 ++
contrib/libfido2/.gitattributes | 1 +
.../libfido2/.github/ISSUE_TEMPLATE/bug_report.md | 80 ++++++++++
contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml | 8 +
.../libfido2/.github/workflows/alpine_builds.yml | 39 +++++
contrib/libfido2/.github/workflows/bsd_builds.yml | 32 ++++
contrib/libfido2/.github/workflows/cifuzz_oss.yml | 46 ++++++
.../libfido2/.github/workflows/codeql-analysis.yml | 42 +++++
.../libfido2/.github/workflows/cygwin_builds.yml | 30 ++++
.../libfido2/.github/workflows/linux_builds.yml | 57 +++++++
contrib/libfido2/.github/workflows/linux_fuzz.yml | 41 +++++
.../libfido2/.github/workflows/macos_builds.yml | 32 ++++
contrib/libfido2/.github/workflows/openssl3.yml | 51 ++++++
.../libfido2/.github/workflows/windows_builds.yml | 32 ++++
contrib/libfido2/.gitignore | 9 ++
contrib/libfido2/CMakeLists.txt | 4 +-
contrib/libfido2/NEWS | 10 ++
contrib/libfido2/README.adoc | 2 +-
contrib/libfido2/examples/README.adoc | 5 +-
contrib/libfido2/examples/cred.c | 30 +++-
contrib/libfido2/fuzz/Dockerfile | 2 +-
contrib/libfido2/fuzz/Makefile | 2 +-
contrib/libfido2/fuzz/export.gnu | 2 +
contrib/libfido2/fuzz/functions.txt | 63 ++++----
contrib/libfido2/fuzz/fuzz_assert.c | 4 +-
contrib/libfido2/fuzz/report.tgz | Bin 357005 -> 361946 bytes
contrib/libfido2/fuzz/summary.txt | 18 +--
contrib/libfido2/man/CMakeLists.txt | 3 +
contrib/libfido2/man/fido2-assert.1 | 13 +-
contrib/libfido2/man/fido2-cred.1 | 13 +-
contrib/libfido2/man/fido_assert_new.3 | 14 +-
contrib/libfido2/man/fido_assert_set_authdata.3 | 59 ++++++-
contrib/libfido2/regress/assert.c | 50 +++++-
contrib/libfido2/regress/cred.c | 18 ++-
contrib/libfido2/regress/eddsa.c | 2 +-
contrib/libfido2/src/assert.c | 68 +++++++-
contrib/libfido2/src/export.gnu | 3 +
contrib/libfido2/src/export.llvm | 3 +
contrib/libfido2/src/export.msvc | 3 +
contrib/libfido2/src/fido.h | 4 +
contrib/libfido2/src/fido/types.h | 2 +
contrib/libfido2/src/webauthn.h | 177 +++++++++++++++++++--
contrib/libfido2/src/winhello.c | 63 +++++++-
contrib/libfido2/tools/assert_get.c | 19 ++-
contrib/libfido2/tools/cred_make.c | 20 ++-
contrib/libfido2/tools/extern.h | 19 +--
contrib/libfido2/tools/fido2-assert.c | 4 +-
contrib/libfido2/tools/fido2-cred.c | 4 +-
contrib/libfido2/udev/70-u2f.rules | 32 +++-
contrib/libfido2/udev/fidodevs | 16 +-
contrib/libfido2/windows/build.ps1 | 1 +
contrib/libfido2/windows/const.ps1 | 16 +-
lib/libfido2/Makefile | 2 +-
63 files changed, 1646 insertions(+), 124 deletions(-)
diff --git a/contrib/libfido2/.actions/build-bsd b/contrib/libfido2/.actions/build-bsd
new file mode 100755
index 000000000000..66fc4e3ba281
--- /dev/null
+++ b/contrib/libfido2/.actions/build-bsd
@@ -0,0 +1,97 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+BASE_URL="https://builds.sr.ht"
+MANIFEST="$(mktemp)"
+LOGFILE="$(mktemp)"
+trap '[ -f "${LOGFILE}" ] && cat -- "${LOGFILE}"' EXIT
+
+# construct the sourcehut build manifest
+cat > "${MANIFEST}" <<- EOF
+image: ${IMAGE}
+packages:
+ - cmake
+ - llvm
+ - pcsc-lite
+EOF
+
+case "${IMAGE}" in
+ freebsd*)
+cat >> "${MANIFEST}" <<- EOF
+ - libcbor
+ - pkgconf
+EOF
+ ;;
+esac
+
+cat >> "${MANIFEST}" <<- EOF
+sources:
+ - ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}#$(git rev-parse HEAD)
+tasks:
+ - build: |
+ if [ "\$(uname)" = "OpenBSD" ]; then
+ SUDO="doas -u root"
+ else
+ SUDO=sudo
+ fi
+ SCAN="/usr/local/bin/scan-build --use-cc=/usr/bin/cc --status-bugs"
+ cd libfido2
+ for T in Debug Release; do
+ mkdir build-\$T
+ (cd build-\$T && \${SCAN} cmake -DCMAKE_BUILD_TYPE=\$T ..)
+ \${SCAN} make -j"\$(sysctl -n hw.ncpu)" -C build-\$T
+ make -C build-\$T regress
+ \${SUDO} make -C build-\$T install
+ done
+EOF
+
+q() {
+ curl \
+ --silent \
+ --oauth2-bearer "${SOURCEHUT_TOKEN}" \
+ --header "Content-Type: application/json" \
+ --data @- -- \
+ "${BASE_URL}/query" \
+ | tee -a -- "${LOGFILE}"
+}
+
+submit_job() {
+ local manifest="$1"
+ jq \
+ --compact-output --null-input \
+ '{ query: $body, variables: { var: $var } }' \
+ --arg body 'mutation($var: String!) { submit(manifest: $var) { id } }' \
+ --rawfile var "${manifest}" \
+ | q \
+ | jq --exit-status --raw-output '.data.submit.id'
+}
+
+job_status() {
+ local id="$1"
+ jq \
+ --compact-output --null-input \
+ '{ query: $body, variables: { var: $var } }' \
+ --arg body 'query($var: Int!) { job(id: $var) { status } }' \
+ --argjson var "${id}" \
+ | q \
+ | jq --exit-status --raw-output '.data.job.status'
+}
+
+JOB_ID="$(submit_job "${MANIFEST}")" || exit 1
+[ -z "${JOB_ID}" ] && exit 1
+echo "Job '${JOB_ID}' running at ${BASE_URL}/~yubico-libfido2/job/${JOB_ID}"
+
+while true; do
+ JOB_STATUS="$(job_status "${JOB_ID}")" || exit 1
+ case "${JOB_STATUS}" in
+ SUCCESS) exit 0;;
+ FAILED) exit 1;;
+ PENDING|QUEUED|RUNNING) ;;
+ *) exit 1;;
+ esac
+ sleep 60
+done
diff --git a/contrib/libfido2/.actions/build-linux-clang b/contrib/libfido2/.actions/build-linux-clang
new file mode 100755
index 000000000000..ba20f1279ec9
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-clang
@@ -0,0 +1,21 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+SCAN=scan-build${CC#clang}
+
+# Check exports.
+(cd src && ./diff_exports.sh)
+
+# Build, analyze, and install libfido2.
+for T in Debug Release; do
+ mkdir build-$T
+ (cd build-$T && ${SCAN} --use-cc="${CC}" cmake -DCMAKE_BUILD_TYPE=$T ..)
+ ${SCAN} --use-cc="${CC}" --status-bugs make -j"$(nproc)" -C build-$T
+ make -C build-$T regress
+ sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/build-linux-gcc b/contrib/libfido2/.actions/build-linux-gcc
new file mode 100755
index 000000000000..cd42b5eb7bed
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-gcc
@@ -0,0 +1,23 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+
+# Build and install libfido2.
+for T in Debug Release; do
+ mkdir build-$T
+ (cd build-$T && cmake -DCMAKE_BUILD_TYPE=$T ..)
+ make -j"$(nproc)" -C build-$T
+ make -C build-$T regress
+ sudo make -C build-$T install
+done
+
+# Check udev/fidodevs.
+[ -x "$(which update-alternatives)" ] && {
+ sudo update-alternatives --set awk "$(which original-awk)"
+}
+udev/check.sh udev/fidodevs
diff --git a/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
new file mode 100755
index 000000000000..a89578da0886
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
@@ -0,0 +1,58 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+# XXX defining CC and cross-compiling confuses OpenSSL's build.
+unset CC
+
+sudo mkdir /fakeroot
+sudo chmod 755 /fakeroot
+
+cat << EOF > /tmp/mingw.cmake
+SET(CMAKE_SYSTEM_NAME Windows)
+SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc)
+SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++)
+SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres)
+SET(CMAKE_FIND_ROOT_PATH /fakeroot)
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+EOF
+
+# Build and install libcbor.
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+cd libcbor
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+ -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -j"$(nproc)" -C build
+sudo make -C build install
+cd ..
+
+# Build and install OpenSSL 1.1.1w.
+git clone --depth=1 https://github.com/openssl/openssl -b OpenSSL_1_1_1w
+cd openssl
+./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
+ --cross-compile-prefix=i686-w64-mingw32-
+make -j"$(nproc)"
+sudo make install_sw
+cd ..
+
+# Build and install zlib.
+git clone --depth=1 https://github.com/madler/zlib -b v1.3
+cd zlib
+make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
+sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \
+ INCLUDE_PATH=/include LIBRARY_PATH=/lib BINARY_PATH=/bin install
+cd ..
+
+# Build and install libfido2.
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+ -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -j"$(nproc)" -C build
+sudo make -C build install
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-clang b/contrib/libfido2/.actions/build-linux-openssl3-clang
new file mode 100755
index 000000000000..2383e51ad8f5
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-openssl3-clang
@@ -0,0 +1,33 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+SCAN=scan-build${CC#clang}
+FAKEROOT="$(mktemp -d)"
+
+# Check exports.
+(cd src && ./diff_exports.sh)
+
+# Build and install OpenSSL 3.0.12.
+git clone --branch openssl-3.0.12 \
+ --depth=1 https://github.com/openssl/openssl
+cd openssl
+./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \
+ --openssldir="${FAKEROOT}/openssl" --libdir=lib
+make install_sw
+cd ..
+
+# Build, analyze, and install libfido2.
+for T in Debug Release; do
+ mkdir build-$T
+ export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
+ (cd build-$T && ${SCAN} --use-cc="${CC}" \
+ cmake -DCMAKE_BUILD_TYPE=$T ..)
+ ${SCAN} --use-cc="${CC}" --status-bugs make -C build-$T
+ make -C build-$T regress
+ sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-gcc b/contrib/libfido2/.actions/build-linux-openssl3-gcc
new file mode 100755
index 000000000000..344fc12bce8c
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-openssl3-gcc
@@ -0,0 +1,28 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+${CC} --version
+FAKEROOT="$(mktemp -d)"
+
+# Build and install OpenSSL 3.0.12.
+git clone --branch openssl-3.0.12 \
+ --depth=1 https://github.com/openssl/openssl
+cd openssl
+./Configure linux-x86_64 --prefix="${FAKEROOT}" \
+ --openssldir="${FAKEROOT}/openssl" --libdir=lib
+make install_sw
+cd ..
+
+# Build and install libfido2.
+for T in Debug Release; do
+ mkdir build-$T
+ export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
+ (cd build-$T && cmake -DCMAKE_BUILD_TYPE=$T ..)
+ make -j"$(nproc)" -C build-$T
+ make -C build-$T regress
+ sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
new file mode 100755
index 000000000000..3bbb141dad0d
--- /dev/null
+++ b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
@@ -0,0 +1,59 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+# XXX defining CC and cross-compiling confuses OpenSSL's build.
+unset CC
+
+sudo mkdir /fakeroot
+sudo chmod 755 /fakeroot
+
+cat << EOF > /tmp/mingw.cmake
+SET(CMAKE_SYSTEM_NAME Windows)
+SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc)
+SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++)
+SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres)
+SET(CMAKE_FIND_ROOT_PATH /fakeroot)
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+EOF
+
+# Build and install libcbor.
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+cd libcbor
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+ -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -j"$(nproc)" -C build
+sudo make -C build install
+cd ..
+
+# Build and install OpenSSL 3.0.11.
+git clone --branch openssl-3.0.12 \
+ --depth=1 https://github.com/openssl/openssl
+cd openssl
+./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
+ --cross-compile-prefix=i686-w64-mingw32- --libdir=lib
+make -j"$(nproc)"
+sudo make install_sw
+cd ..
+
+# Build and install zlib.
+git clone --depth=1 https://github.com/madler/zlib -b v1.3
+cd zlib
+make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
+sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \
+ INCLUDE_PATH=/include LIBRARY_PATH=/lib BINARY_PATH=/bin install
+cd ..
+
+# Build and install libfido2.
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+ -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -C build 2>&1
+sudo make -C build install
diff --git a/contrib/libfido2/.actions/build-osx-clang b/contrib/libfido2/.actions/build-osx-clang
new file mode 100755
index 000000000000..b4beea221315
--- /dev/null
+++ b/contrib/libfido2/.actions/build-osx-clang
@@ -0,0 +1,19 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+export PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig"
+SCAN="$(brew --prefix llvm)/bin/scan-build"
+
+# Build, analyze, and install libfido2.
+for T in Debug Release; do
+ mkdir build-$T
+ (cd build-$T && ${SCAN} cmake -DCMAKE_BUILD_TYPE=$T ..)
+ ${SCAN} --status-bugs make -j"$(sysctl -n hw.ncpu)" -C build-$T
+ make -C build-$T man_symlink_html
+ make -C build-$T regress
+ sudo make -C build-$T install
+done
diff --git a/contrib/libfido2/.actions/fuzz-linux b/contrib/libfido2/.actions/fuzz-linux
new file mode 100755
index 000000000000..3f57ac40ff4b
--- /dev/null
+++ b/contrib/libfido2/.actions/fuzz-linux
@@ -0,0 +1,93 @@
+#!/bin/sh -eux
+
+# Copyright (c) 2020-2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+LIBCBOR_URL="https://github.com/pjk/libcbor"
+LIBCBOR_TAG="v0.10.2"
+LIBCBOR_ASAN="address alignment bounds"
+LIBCBOR_MSAN="memory"
+OPENSSL_URL="https://github.com/openssl/openssl"
+OPENSSL_TAG="openssl-3.0.12"
+ZLIB_URL="https://github.com/madler/zlib"
+ZLIB_TAG="v1.3"
+ZLIB_ASAN="address alignment bounds undefined"
+ZLIB_MSAN="memory"
+FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak"
+FIDO2_ASAN="${FIDO2_ASAN} pointer-compare pointer-subtract undefined"
+FIDO2_MSAN="fuzzer-no-link memory"
+COMMON_CFLAGS="-g2 -fno-omit-frame-pointer"
+COMMON_CFLAGS="${COMMON_CFLAGS} -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
+UBSAN_OPTIONS="halt_on_error=1:print_stacktrace=1:strict_string_checks=1"
+ASAN_OPTIONS="${UBSAN_OPTIONS}:detect_invalid_pointer_pairs=2:detect_leaks=1"
+MSAN_OPTIONS="${UBSAN_OPTIONS}"
+
+case "$1" in
+asan)
+ LIBCBOR_CFLAGS="-fsanitize=$(echo "${LIBCBOR_ASAN}" | tr ' ' ',')"
+ ZLIB_CFLAGS="-fsanitize=$(echo "${ZLIB_ASAN}" | tr ' ' ',')"
+ FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_ASAN}" | tr ' ' ',')"
+ FIDO2_CFLAGS="${FIDO2_CFLAGS} -fsanitize-address-use-after-scope"
+ ;;
+msan)
+ LIBCBOR_CFLAGS="-fsanitize=$(echo "${LIBCBOR_MSAN}" | tr ' ' ',')"
+ ZLIB_CFLAGS="-fsanitize=$(echo "${ZLIB_MSAN}" | tr ' ' ',')"
+ FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_MSAN}" | tr ' ' ',')"
+ FIDO2_CFLAGS="${FIDO2_CFLAGS} -fsanitize-memory-track-origins"
+ ;;
+*)
+ echo "unknown sanitiser \"$1\"" 1>&2 && exit 1
+esac
+
+${CC} --version
+WORKDIR="${WORKDIR:-$(pwd)}"
+FAKEROOT="${FAKEROOT:-$(mktemp -d)}"
+cd "${FAKEROOT}"
+
+# libcbor
+git clone --depth=1 "${LIBCBOR_URL}" -b "${LIBCBOR_TAG}"
+cd libcbor
+patch -p0 -s < "${WORKDIR}/fuzz/README"
+mkdir build
+(cd build && cmake -DBUILD_SHARED_LIBS=ON -DCMAKE_BUILD_TYPE=Debug \
+ -DCMAKE_C_FLAGS_DEBUG="${LIBCBOR_CFLAGS} ${COMMON_CFLAGS}" \
+ -DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_INSTALL_PREFIX="${FAKEROOT}" \
+ -DSANITIZE=OFF ..)
+make VERBOSE=1 -j"$(nproc)" -C build all install
+cd -
+
+# openssl
+git clone --depth=1 "${OPENSSL_URL}" -b "${OPENSSL_TAG}"
+cd openssl
+./Configure linux-x86_64-clang "enable-$1" --prefix="${FAKEROOT}" \
+ --openssldir="${FAKEROOT}/openssl" --libdir=lib
+make install_sw
+cd -
+
+# zlib
+git clone --depth=1 "${ZLIB_URL}" -b "${ZLIB_TAG}"
+cd zlib
+CFLAGS="${ZLIB_CFLAGS}" LDFLAGS="${ZLIB_CFLAGS}" ./configure \
+ --prefix="${FAKEROOT}"
+make install
+cd -
+
+# libfido2
+mkdir build
+export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
+(cd build && cmake -DCMAKE_BUILD_TYPE=Debug \
+ -DCMAKE_C_FLAGS_DEBUG="${FIDO2_CFLAGS} ${COMMON_CFLAGS}" -DFUZZ=ON \
+ -DFUZZ_LDFLAGS="-fsanitize=fuzzer" "${WORKDIR}")
+make -j"$(nproc)" -C build
+
+# fuzz
+mkdir corpus
+curl -s https://storage.googleapis.com/yubico-libfido2/corpus.tgz |
+ tar -C corpus -zxf -
+export UBSAN_OPTIONS ASAN_OPTIONS MSAN_OPTIONS
+for f in assert bio cred credman hid largeblob mgmt netlink pcsc; do
+ build/fuzz/fuzz_${f} -use_value_profile=1 -reload=30 -print_pcs=1 \
+ -print_funcs=30 -timeout=10 -runs=1 corpus/fuzz_${f}
+done
diff --git a/contrib/libfido2/.actions/llvm.gpg b/contrib/libfido2/.actions/llvm.gpg
new file mode 100644
index 000000000000..aa6b105aa3d7
--- /dev/null
+++ b/contrib/libfido2/.actions/llvm.gpg
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQINBFE9lCwBEADi0WUAApM/mgHJRU8lVkkw0CHsZNpqaQDNaHefD6Rw3S4LxNmM
+EZaOTkhP200XZM8lVdbfUW9xSjA3oPldc1HG26NjbqqCmWpdo2fb+r7VmU2dq3NM
+R18ZlKixiLDE6OUfaXWKamZsXb6ITTYmgTO6orQWYrnW6ckYHSeaAkW0wkDAryl2
+B5v8aoFnQ1rFiVEMo4NGzw4UX+MelF7rxaaregmKVTPiqCOSPJ1McC1dHFN533FY
+Wh/RVLKWo6npu+owtwYFQW+zyQhKzSIMvNujFRzhIxzxR9Gn87MoLAyfgKEzrbbT
+DhqqNXTxS4UMUKCQaO93TzetX/EBrRpJj+vP640yio80h4Dr5pAd7+LnKwgpTDk1
+G88bBXJAcPZnTSKu9I2c6KY4iRNbvRz4i+ZdwwZtdW4nSdl2792L7Sl7Nc44uLL/
+ZqkKDXEBF6lsX5XpABwyK89S/SbHOytXv9o4puv+65Ac5/UShspQTMSKGZgvDauU
+cs8kE1U9dPOqVNCYq9Nfwinkf6RxV1k1+gwtclxQuY7UpKXP0hNAXjAiA5KS5Crq
+7aaJg9q2F4bub0mNU6n7UI6vXguF2n4SEtzPRk6RP+4TiT3bZUsmr+1ktogyOJCc
+Ha8G5VdL+NBIYQthOcieYCBnTeIH7D3Sp6FYQTYtVbKFzmMK+36ERreL/wARAQAB
+tD1TeWx2ZXN0cmUgTGVkcnUgLSBEZWJpYW4gTExWTSBwYWNrYWdlcyA8c3lsdmVz
+dHJlQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRPZQsAhsDBgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRAVz00Yr090Ibx+EADArS/hvkDF8juWMXxh17CgR0WZlHCC
+9CTBWkg5a0bNN/3bb97cPQt/vIKWjQtkQpav6/5JTVCSx2riL4FHYhH0iuo4iAPR
+udC7Cvg8g7bSPrKO6tenQZNvQm+tUmBHgFiMBJi92AjZ/Qn1Shg7p9ITivFxpLyX
+wpmnF1OKyI2Kof2rm4BFwfSWuf8Fvh7kDMRLHv+MlnK/7j/BNpKdozXxLcwoFBmn
+l0WjpAH3OFF7Pvm1LJdf1DjWKH0Dc3sc6zxtmBR/KHHg6kK4BGQNnFKujcP7TVdv
+gMYv84kun14pnwjZcqOtN3UJtcx22880DOQzinoMs3Q4w4o05oIF+sSgHViFpc3W
+R0v+RllnH05vKZo+LDzc83DQVrdwliV12eHxrMQ8UYg88zCbF/cHHnlzZWAJgftg
+hB08v1BKPgYRUzwJ6VdVqXYcZWEaUJmQAPuAALyZESw94hSo28FAn0/gzEc5uOYx
+K+xG/lFwgAGYNb3uGM5m0P6LVTfdg6vDwwOeTNIExVk3KVFXeSQef2ZMkhwA7wya
+KJptkb62wBHFE+o9TUdtMCY6qONxMMdwioRE5BYNwAsS1PnRD2+jtlI0DzvKHt7B
+MWd8hnoUKhMeZ9TNmo+8CpsAtXZcBho0zPGz/R8NlJhAWpdAZ1CmcPo83EW86Yq7
+BxQUKnNHcwj2ebkCDQRRPZQsARAA4jxYmbTHwmMjqSizlMJYNuGOpIidEdx9zQ5g
+zOr431/VfWq4S+VhMDhs15j9lyml0y4ok215VRFwrAREDg6UPMr7ajLmBQGau0Fc
+bvZJ90l4NjXp5p0NEE/qOb9UEHT7EGkEhaZ1ekkWFTWCgsy7rRXfZLxB6sk7pzLC
+DshyW3zjIakWAnpQ5j5obiDy708pReAuGB94NSyb1HoW/xGsGgvvCw4r0w3xPStw
+F1PhmScE6NTBIfLliea3pl8vhKPlCh54Hk7I8QGjo1ETlRP4Qll1ZxHJ8u25f/ta
+RES2Aw8Hi7j0EVcZ6MT9JWTI83yUcnUlZPZS2HyeWcUj+8nUC8W4N8An+aNps9l/
+21inIl2TbGo3Yn1JQLnA1YCoGwC34g8QZTJhElEQBN0X29ayWW6OdFx8MDvllbBV
+ymmKq2lK1U55mQTfDli7S3vfGz9Gp/oQwZ8bQpOeUkc5hbZszYwP4RX+68xDPfn+
+M9udl+qW9wu+LyePbW6HX90LmkhNkkY2ZzUPRPDHZANU5btaPXc2H7edX4y4maQa
+xenqD0lGh9LGz/mps4HEZtCI5CY8o0uCMF3lT0XfXhuLksr7Pxv57yue8LLTItOJ
+d9Hmzp9G97SRYYeqU+8lyNXtU2PdrLLq7QHkzrsloG78lCpQcalHGACJzrlUWVP/
+fN3Ht3kAEQEAAYkCHwQYAQIACQUCUT2ULAIbDAAKCRAVz00Yr090IbhWEADbr50X
+OEXMIMGRLe+YMjeMX9NG4jxs0jZaWHc/WrGR+CCSUb9r6aPXeLo+45949uEfdSsB
+pbaEdNWxF5Vr1CSjuO5siIlgDjmT655voXo67xVpEN4HhMrxugDJfCa6z97P0+ML
+PdDxim57uNqkam9XIq9hKQaurxMAECDPmlEXI4QT3eu5qw5/knMzDMZj4Vi6hovL
+wvvAeLHO/jsyfIdNmhBGU2RWCEZ9uo/MeerPHtRPfg74g+9PPfP6nyHD2Wes6yGd
+oVQwtPNAQD6Cj7EaA2xdZYLJ7/jW6yiPu98FFWP74FN2dlyEA2uVziLsfBrgpS4l
+tVOlrO2YzkkqUGrybzbLpj6eeHx+Cd7wcjI8CalsqtL6cG8cUEjtWQUHyTbQWAgG
+5VPEgIAVhJ6RTZ26i/G+4J8neKyRs4vz+57UGwY6zI4AB1ZcWGEE3Bf+CDEDgmnP
+LSwbnHefK9IljT9XU98PelSryUO/5UPw7leE0akXKB4DtekToO226px1VnGp3Bov
+1GBGvpHvL2WizEwdk+nfk8LtrLzej+9FtIcq3uIrYnsac47Pf7p0otcFeTJTjSq3
+krCaoG4Hx0zGQG2ZFpHrSrZTVy6lxvIdfi0beMgY6h78p6M9eYZHQHc02DjFkQXN
+bXb5c6gCHESH5PXwPU4jQEE7Ib9J6sbk7ZT2Mw==
+=j+4q
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/contrib/libfido2/.actions/setup_clang b/contrib/libfido2/.actions/setup_clang
new file mode 100755
index 000000000000..be06709c88b6
--- /dev/null
+++ b/contrib/libfido2/.actions/setup_clang
@@ -0,0 +1,17 @@
+#!/bin/sh -eu
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+CC="$1"
+APT="http://apt.llvm.org"
+CODENAME="$(lsb_release -cs)"
+VERSION="${CC#*-}"
+apt-get install -q -y software-properties-common
+apt-key add ./.actions/llvm.gpg
+add-apt-repository \
+ "deb ${APT}/${CODENAME}/ llvm-toolchain-${CODENAME}-${VERSION} main"
+apt-get update -q
+apt-get install -q -y "${CC}" "clang-tools-${VERSION}"
diff --git a/contrib/libfido2/.gitattributes b/contrib/libfido2/.gitattributes
new file mode 100644
index 000000000000..998f601da4d0
--- /dev/null
+++ b/contrib/libfido2/.gitattributes
@@ -0,0 +1 @@
+.* export-ignore
diff --git a/contrib/libfido2/.github/ISSUE_TEMPLATE/bug_report.md b/contrib/libfido2/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 000000000000..6e88c1ff8006
--- /dev/null
+++ b/contrib/libfido2/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,80 @@
+---
+name: Bug report
+labels: 'bug report'
+about: Report a bug in libfido2
+
+---
+
+<!--
+
+Please use the questions below as a template, and review your answers
+for potentially sensitive information.
+
+Thank you!
+
+-->
+
+**What version of libfido2 are you using?**
+
+**What operating system are you running?**
+
+**What application are you using in conjunction with libfido2?**
+
+**How does the problem manifest itself?**
+
+**Is the problem reproducible?**
+
+**What are the steps that lead to the problem?**
+
+**Does the problem happen with different authenticators?**
+
+<!--
+
+fido2-token is provided by the fido2-tools package on Debian and Ubuntu,
+and shipped with libfido2 in macOS (Homebrew), Arch Linux, and Windows.
+
+-->
+
+**Please include the output of `fido2-token -L`.**
+
+<details>
+<summary><code>fido2-token -L</code></summary>
+<br>
+<pre>
+$ fido2-token -L
+
+</pre>
+</details>
+
+**Please include the output of `fido2-token -I`.**
+
+<details>
+<summary><code>fido2-token -I</code></summary>
+<br>
+<pre>
+$ fido2-token -I <device>
+
+</pre>
+</details>
+
+<!--
+
+You are strongly encouraged to only capture debug output using test
+credentials. Failure to do so can disclose sensitive information.
+
+-->
+
+**Please include the output of `FIDO_DEBUG=1`.**
+
+<details>
+<summary><code>FIDO_DEBUG=1</code></summary>
+<br>
+<pre>
+$ export FIDO_DEBUG=1
+$ <command1>
+$ <command2>
+(...)
+$ <commandn>
+
+</pre>
+</details>
diff --git a/contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml b/contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 000000000000..3ecb227ffeb0
--- /dev/null
+++ b/contrib/libfido2/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+ - name: Feature Request
+ url: https://github.com/Yubico/libfido2/discussions/new
+ about: Share ideas for new features
+ - name: Ask a question about libfido2
+ url: https://github.com/Yubico/libfido2/discussions/new
+ about: Ask the community for help
diff --git a/contrib/libfido2/.github/workflows/alpine_builds.yml b/contrib/libfido2/.github/workflows/alpine_builds.yml
new file mode 100644
index 000000000000..c6d826f39835
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/alpine_builds.yml
@@ -0,0 +1,39 @@
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: alpine
+
+on:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+ - '*-ci'
+
+jobs:
+ build:
+ runs-on: ubuntu-20.04
+ container: alpine:latest
+ strategy:
+ fail-fast: false
+ matrix:
+ cc: [ gcc, clang ]
+ steps:
+ - name: dependencies
+ run: |
+ apk -q update
+ apk add build-base clang clang-analyzer cmake coreutils eudev-dev
+ apk add git linux-headers openssl-dev sudo zlib-dev pcsc-lite-dev \
+ libcbor-dev
+ - name: fix permissions on workdir
+ run: chown root:wheel "${GITHUB_WORKSPACE}"
+ - name: checkout libfido2
+ uses: actions/checkout@v4
+ - name: build libfido2
+ env:
+ CC: ${{ matrix.cc }}
+ run: ./.actions/build-linux-${CC}
diff --git a/contrib/libfido2/.github/workflows/bsd_builds.yml b/contrib/libfido2/.github/workflows/bsd_builds.yml
new file mode 100644
index 000000000000..366ea2141aca
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/bsd_builds.yml
@@ -0,0 +1,32 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: bsd
+
+on:
+ push:
+ branches:
+ - main
+ - '*-ci'
+
+jobs:
+ build:
+ if: github.repository == 'Yubico/libfido2'
+ runs-on: ubuntu-22.04
+ strategy:
+ fail-fast: false
+ matrix:
+ image: [freebsd/13.x, openbsd/7.2]
+ steps:
+ - uses: actions/checkout@v4
+ - name: dependencies
+ run: |
+ sudo apt -q update
+ sudo apt install -q -y curl jq
+ - name: build
+ env:
+ IMAGE: ${{ matrix.image }}
+ SOURCEHUT_TOKEN: ${{ secrets.SOURCEHUT_TOKEN }}
+ run: ./.actions/build-bsd
diff --git a/contrib/libfido2/.github/workflows/cifuzz_oss.yml b/contrib/libfido2/.github/workflows/cifuzz_oss.yml
new file mode 100644
index 000000000000..556d5ad36f7c
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/cifuzz_oss.yml
@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: cifuzz
+
+on:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+ - '*-ci'
+
+jobs:
+ fuzzing:
+ if: github.repository == 'Yubico/libfido2'
+ runs-on: ubuntu-20.04
+ strategy:
+ fail-fast: false
+ matrix:
+ sanitizer: [address, undefined, memory]
+ steps:
+ - name: build fuzzers (${{ matrix.sanitizer }})
+ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+ with:
+ oss-fuzz-project-name: 'libfido2'
+ language: c
+ sanitizer: ${{ matrix.sanitizer }}
+ dry-run: false
+ - name: run fuzzers (${{ matrix.sanitizer }})
+ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+ with:
+ oss-fuzz-project-name: 'libfido2'
+ language: c
+ sanitizer: ${{ matrix.sanitizer }}
+ fuzz-seconds: 600
+ dry-run: false
+ - name: upload crash
+ uses: actions/upload-artifact@v3
+ if: failure()
+ with:
+ name: ${{ matrix.sanitizer }}-artifacts
+ path: ./out/artifacts
diff --git a/contrib/libfido2/.github/workflows/codeql-analysis.yml b/contrib/libfido2/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000000..a3a8d54d2daa
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,42 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: "codeql"
+
+on:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+ - '*-ci'
+ schedule:
+ - cron: '0 0 * * 0'
+
+permissions:
+ security-events: write
+
+jobs:
+ codeql-build:
+ if: github.repository == 'Yubico/libfido2'
+ runs-on: ubuntu-22.04
+ steps:
+ - name: checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 2
+ - name: init codeql
+ uses: github/codeql-action/init@v2
+ - name: build
+ env:
+ CC: gcc
+ run: |
+ sudo apt -q update
+ sudo apt install -q -y libcbor-dev libudev-dev libz-dev original-awk \
+ libpcsclite-dev
+ ./.actions/build-linux-gcc
+ - name: perform codeql analysis
+ uses: github/codeql-action/analyze@v2
diff --git a/contrib/libfido2/.github/workflows/cygwin_builds.yml b/contrib/libfido2/.github/workflows/cygwin_builds.yml
new file mode 100644
index 000000000000..d8146c54904e
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/cygwin_builds.yml
@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: cygwin
+
+on:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+ - '*-ci'
+
+jobs:
+ build:
+ runs-on: ${{ matrix.os }}
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ windows-2022 ]
+ arch: [ x64 ]
+ config: [ "Debug", "Release" ]
+ steps:
+ - uses: actions/checkout@v4
+ - name: build
+ run: |
+ .\windows\cygwin.ps1 -Config ${{ matrix.config }}
diff --git a/contrib/libfido2/.github/workflows/linux_builds.yml b/contrib/libfido2/.github/workflows/linux_builds.yml
new file mode 100644
index 000000000000..ec911cb92d92
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/linux_builds.yml
@@ -0,0 +1,57 @@
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: linux
+
+on:
*** 2233 LINES SKIPPED ***