git: a54428834b9d - stable/15 - libfido2: Update to 1.16.0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 22 Apr 2026 14:24:18 UTC
The branch stable/15 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=a54428834b9d82e9e297664d21b84993a491da0d
commit a54428834b9d82e9e297664d21b84993a491da0d
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-04-07 13:14:41 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-04-22 14:24:02 +0000
libfido2: Update to 1.16.0
Sponsored by: The FreeBSD Foundation
(cherry picked from commit febb0da5bf4bc99828ebede7abcb039514ac367a)
---
contrib/libfido2/.actions/build-bsd | 6 +-
.../.actions/build-linux-i686-w64-mingw32-gcc | 6 +-
.../libfido2/.actions/build-linux-openssl3-clang | 6 +-
contrib/libfido2/.actions/build-linux-openssl3-gcc | 6 +-
.../build-linux-openssl3-i686-w64-mingw32-gcc | 10 +-
contrib/libfido2/.actions/build-osx-clang | 3 +-
contrib/libfido2/.actions/fuzz-linux | 13 +-
contrib/libfido2/.actions/run-shellcheck | 25 +
.../libfido2/.github/workflows/alpine_builds.yml | 4 +-
contrib/libfido2/.github/workflows/bsd_builds.yml | 9 +-
contrib/libfido2/.github/workflows/cifuzz_oss.yml | 6 +-
.../libfido2/.github/workflows/codeql-analysis.yml | 8 +-
.../libfido2/.github/workflows/linux_builds.yml | 15 +-
contrib/libfido2/.github/workflows/linux_fuzz.yml | 6 +-
.../libfido2/.github/workflows/macos_builds.yml | 4 +-
contrib/libfido2/.github/workflows/openssl3.yml | 14 +-
contrib/libfido2/.github/workflows/shellcheck.yml | 27 +
contrib/libfido2/CMakeLists.txt | 12 +-
contrib/libfido2/LICENSE | 2 +-
contrib/libfido2/NEWS | 28 +-
contrib/libfido2/README.adoc | 6 +-
contrib/libfido2/SECURITY.md | 2 +-
contrib/libfido2/examples/README.adoc | 3 +-
contrib/libfido2/examples/cred.c | 29 +-
contrib/libfido2/fuzz/CMakeLists.txt | 13 +-
contrib/libfido2/fuzz/Dockerfile | 2 +-
contrib/libfido2/fuzz/Makefile | 6 +-
contrib/libfido2/fuzz/export.gnu | 6 +
contrib/libfido2/fuzz/functions.txt | 1096 ++++++++++----------
contrib/libfido2/fuzz/fuzz_attobj.c | 333 ++++++
contrib/libfido2/fuzz/fuzz_cred.c | 13 +-
contrib/libfido2/fuzz/libfuzzer.c | 1 +
contrib/libfido2/fuzz/mutator_aux.c | 6 +
contrib/libfido2/fuzz/report.tgz | Bin 361946 -> 372600 bytes
contrib/libfido2/fuzz/summary.txt | 94 +-
contrib/libfido2/man/CMakeLists.txt | 8 +-
contrib/libfido2/man/check.sh | 1 +
contrib/libfido2/man/fido2-assert.1 | 6 +-
contrib/libfido2/man/fido2-cred.1 | 14 +-
contrib/libfido2/man/fido_cred_new.3 | 54 +-
contrib/libfido2/man/fido_cred_set_authdata.3 | 48 +-
contrib/libfido2/regress/CMakeLists.txt | 31 +-
contrib/libfido2/regress/cred.c | 1068 +++++++++++++++++--
contrib/libfido2/regress/dev.c | 234 +----
contrib/libfido2/regress/extern.h | 17 +
contrib/libfido2/regress/mock.c | 182 ++++
contrib/libfido2/src/CMakeLists.txt | 8 +-
contrib/libfido2/src/aes256.c | 6 +-
contrib/libfido2/src/bio.c | 11 +-
contrib/libfido2/src/cbor.c | 105 +-
contrib/libfido2/src/cred.c | 143 ++-
contrib/libfido2/src/credman.c | 11 +-
contrib/libfido2/src/dev.c | 11 +-
contrib/libfido2/src/export.gnu | 6 +
contrib/libfido2/src/export.llvm | 6 +
contrib/libfido2/src/export.msvc | 6 +
contrib/libfido2/src/extern.h | 24 +-
contrib/libfido2/src/fido.h | 8 +-
contrib/libfido2/src/fido/param.h | 9 +-
contrib/libfido2/src/fido/types.h | 20 +-
contrib/libfido2/src/hid_linux.c | 36 +-
contrib/libfido2/src/hid_netbsd.c | 6 +-
contrib/libfido2/src/hid_osx.c | 40 +-
contrib/libfido2/src/nfc.c | 98 +-
contrib/libfido2/src/pin.c | 2 +
contrib/libfido2/src/random.c | 12 +-
contrib/libfido2/src/rs1.c | 53 +-
contrib/libfido2/src/rs256.c | 53 +-
contrib/libfido2/src/u2f.c | 1 +
contrib/libfido2/src/winhello.c | 58 +-
contrib/libfido2/tools/cred_make.c | 14 +-
contrib/libfido2/tools/credman.c | 7 +-
contrib/libfido2/tools/fido2-cred.c | 4 +-
contrib/libfido2/tools/fido2-unprot.sh | 39 +-
contrib/libfido2/tools/include_check.sh | 17 +-
contrib/libfido2/tools/test.sh | 145 +--
contrib/libfido2/tools/token.c | 9 +
contrib/libfido2/udev/check.sh | 4 +-
contrib/libfido2/windows/build.ps1 | 41 +-
contrib/libfido2/windows/const.ps1 | 17 +-
contrib/libfido2/windows/cygwin.ps1 | 11 +-
contrib/libfido2/windows/release.ps1 | 22 +-
82 files changed, 3140 insertions(+), 1406 deletions(-)
diff --git a/contrib/libfido2/.actions/build-bsd b/contrib/libfido2/.actions/build-bsd
index 66fc4e3ba281..c56f084a3a84 100755
--- a/contrib/libfido2/.actions/build-bsd
+++ b/contrib/libfido2/.actions/build-bsd
@@ -15,7 +15,7 @@ cat > "${MANIFEST}" <<- EOF
image: ${IMAGE}
packages:
- cmake
- - llvm
+ - llvm${LLVM_VERSION:+%${LLVM_VERSION}}
- pcsc-lite
EOF
@@ -38,7 +38,7 @@ tasks:
else
SUDO=sudo
fi
- SCAN="/usr/local/bin/scan-build --use-cc=/usr/bin/cc --status-bugs"
+ SCAN="/usr/local/bin/scan-build${LLVM_VERSION:+-${LLVM_VERSION}} --use-cc=/usr/bin/cc --status-bugs"
cd libfido2
for T in Debug Release; do
mkdir build-\$T
@@ -60,6 +60,7 @@ q() {
}
submit_job() {
+ # shellcheck disable=SC3043
local manifest="$1"
jq \
--compact-output --null-input \
@@ -71,6 +72,7 @@ submit_job() {
}
job_status() {
+ # shellcheck disable=SC3043
local id="$1"
jq \
--compact-output --null-input \
diff --git a/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
index a89578da0886..6bcfe6348a69 100755
--- a/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
+++ b/contrib/libfido2/.actions/build-linux-i686-w64-mingw32-gcc
@@ -1,6 +1,6 @@
#!/bin/sh -eux
-# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
EOF
# Build and install libcbor.
-git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.12.0
cd libcbor
mkdir build
(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
@@ -42,7 +42,7 @@ sudo make install_sw
cd ..
# Build and install zlib.
-git clone --depth=1 https://github.com/madler/zlib -b v1.3
+git clone --depth=1 https://github.com/madler/zlib -b v1.3.1
cd zlib
make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-clang b/contrib/libfido2/.actions/build-linux-openssl3-clang
index 2383e51ad8f5..4b805793bf39 100755
--- a/contrib/libfido2/.actions/build-linux-openssl3-clang
+++ b/contrib/libfido2/.actions/build-linux-openssl3-clang
@@ -1,6 +1,6 @@
#!/bin/sh -eux
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -12,8 +12,8 @@ FAKEROOT="$(mktemp -d)"
# Check exports.
(cd src && ./diff_exports.sh)
-# Build and install OpenSSL 3.0.12.
-git clone --branch openssl-3.0.12 \
+# Build and install OpenSSL 3.0.15.
+git clone --branch openssl-3.0.15 \
--depth=1 https://github.com/openssl/openssl
cd openssl
./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-gcc b/contrib/libfido2/.actions/build-linux-openssl3-gcc
index 344fc12bce8c..91ccd48ffe28 100755
--- a/contrib/libfido2/.actions/build-linux-openssl3-gcc
+++ b/contrib/libfido2/.actions/build-linux-openssl3-gcc
@@ -1,6 +1,6 @@
#!/bin/sh -eux
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -8,8 +8,8 @@
${CC} --version
FAKEROOT="$(mktemp -d)"
-# Build and install OpenSSL 3.0.12.
-git clone --branch openssl-3.0.12 \
+# Build and install OpenSSL 3.0.15.
+git clone --branch openssl-3.0.15 \
--depth=1 https://github.com/openssl/openssl
cd openssl
./Configure linux-x86_64 --prefix="${FAKEROOT}" \
diff --git a/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
index 3bbb141dad0d..a9ba2e2b56d8 100755
--- a/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
+++ b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc
@@ -1,6 +1,6 @@
#!/bin/sh -eux
-# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
EOF
# Build and install libcbor.
-git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.12.0
cd libcbor
mkdir build
(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
@@ -32,8 +32,8 @@ make -j"$(nproc)" -C build
sudo make -C build install
cd ..
-# Build and install OpenSSL 3.0.11.
-git clone --branch openssl-3.0.12 \
+# Build and install OpenSSL 3.0.15.
+git clone --branch openssl-3.0.15 \
--depth=1 https://github.com/openssl/openssl
cd openssl
./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
@@ -43,7 +43,7 @@ sudo make install_sw
cd ..
# Build and install zlib.
-git clone --depth=1 https://github.com/madler/zlib -b v1.3
+git clone --depth=1 https://github.com/madler/zlib -b v1.3.1
cd zlib
make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \
diff --git a/contrib/libfido2/.actions/build-osx-clang b/contrib/libfido2/.actions/build-osx-clang
index b4beea221315..552e99f83e58 100755
--- a/contrib/libfido2/.actions/build-osx-clang
+++ b/contrib/libfido2/.actions/build-osx-clang
@@ -5,7 +5,8 @@
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
-export PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig"
+PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig"
+export PKG_CONFIG_PATH
SCAN="$(brew --prefix llvm)/bin/scan-build"
# Build, analyze, and install libfido2.
diff --git a/contrib/libfido2/.actions/fuzz-linux b/contrib/libfido2/.actions/fuzz-linux
index 3f57ac40ff4b..e404c8e7b4c6 100755
--- a/contrib/libfido2/.actions/fuzz-linux
+++ b/contrib/libfido2/.actions/fuzz-linux
@@ -1,18 +1,18 @@
#!/bin/sh -eux
-# Copyright (c) 2020-2022 Yubico AB. All rights reserved.
+# Copyright (c) 2020-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
LIBCBOR_URL="https://github.com/pjk/libcbor"
-LIBCBOR_TAG="v0.10.2"
+LIBCBOR_TAG="v0.12.0"
LIBCBOR_ASAN="address alignment bounds"
LIBCBOR_MSAN="memory"
OPENSSL_URL="https://github.com/openssl/openssl"
-OPENSSL_TAG="openssl-3.0.12"
+OPENSSL_TAG="openssl-3.0.15"
ZLIB_URL="https://github.com/madler/zlib"
-ZLIB_TAG="v1.3"
+ZLIB_TAG="v1.3.1"
ZLIB_ASAN="address alignment bounds undefined"
ZLIB_MSAN="memory"
FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak"
@@ -63,6 +63,7 @@ git clone --depth=1 "${OPENSSL_URL}" -b "${OPENSSL_TAG}"
cd openssl
./Configure linux-x86_64-clang "enable-$1" --prefix="${FAKEROOT}" \
--openssldir="${FAKEROOT}/openssl" --libdir=lib
+make -j"$(nproc)" build_sw
make install_sw
cd -
@@ -71,7 +72,7 @@ git clone --depth=1 "${ZLIB_URL}" -b "${ZLIB_TAG}"
cd zlib
CFLAGS="${ZLIB_CFLAGS}" LDFLAGS="${ZLIB_CFLAGS}" ./configure \
--prefix="${FAKEROOT}"
-make install
+make -j"$(nproc)" install
cd -
# libfido2
@@ -87,7 +88,7 @@ mkdir corpus
curl -s https://storage.googleapis.com/yubico-libfido2/corpus.tgz |
tar -C corpus -zxf -
export UBSAN_OPTIONS ASAN_OPTIONS MSAN_OPTIONS
-for f in assert bio cred credman hid largeblob mgmt netlink pcsc; do
+for f in assert attobj bio cred credman hid largeblob mgmt netlink pcsc; do
build/fuzz/fuzz_${f} -use_value_profile=1 -reload=30 -print_pcs=1 \
-print_funcs=30 -timeout=10 -runs=1 corpus/fuzz_${f}
done
diff --git a/contrib/libfido2/.actions/run-shellcheck b/contrib/libfido2/.actions/run-shellcheck
new file mode 100755
index 000000000000..063a5e0d1f1a
--- /dev/null
+++ b/contrib/libfido2/.actions/run-shellcheck
@@ -0,0 +1,25 @@
+#!/bin/sh -u
+
+# Copyright (c) 2024 Google LLC. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+LIST="$(mktemp)"
+trap 'rm -- $LIST' EXIT
+
+git ls-files | while read -r file; do
+ if head -n1 "$file" | grep -q '^#!.*sh'; then
+ if ! shellcheck -Cnever --norc "$file"; then
+ echo "$file" >> "$LIST"
+ fi
+ fi
+done
+
+[ -s "$LIST" ] && {
+ echo "The following files contain errors:"
+ cat "$LIST"
+ exit 1
+} 1>&2
+
+exit 0
diff --git a/contrib/libfido2/.github/workflows/alpine_builds.yml b/contrib/libfido2/.github/workflows/alpine_builds.yml
index c6d826f39835..874f7104539f 100644
--- a/contrib/libfido2/.github/workflows/alpine_builds.yml
+++ b/contrib/libfido2/.github/workflows/alpine_builds.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -16,7 +16,7 @@ on:
jobs:
build:
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-24.04
container: alpine:latest
strategy:
fail-fast: false
diff --git a/contrib/libfido2/.github/workflows/bsd_builds.yml b/contrib/libfido2/.github/workflows/bsd_builds.yml
index 366ea2141aca..a4dcf0073251 100644
--- a/contrib/libfido2/.github/workflows/bsd_builds.yml
+++ b/contrib/libfido2/.github/workflows/bsd_builds.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -14,11 +14,13 @@ on:
jobs:
build:
if: github.repository == 'Yubico/libfido2'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
- image: [freebsd/13.x, openbsd/7.2]
+ include:
+ - { image: freebsd/14.x }
+ - { image: openbsd/7.6, llvm_version: 16 }
steps:
- uses: actions/checkout@v4
- name: dependencies
@@ -27,6 +29,7 @@ jobs:
sudo apt install -q -y curl jq
- name: build
env:
+ LLVM_VERSION: ${{ matrix.llvm_version }}
IMAGE: ${{ matrix.image }}
SOURCEHUT_TOKEN: ${{ secrets.SOURCEHUT_TOKEN }}
run: ./.actions/build-bsd
diff --git a/contrib/libfido2/.github/workflows/cifuzz_oss.yml b/contrib/libfido2/.github/workflows/cifuzz_oss.yml
index 556d5ad36f7c..7d621c644786 100644
--- a/contrib/libfido2/.github/workflows/cifuzz_oss.yml
+++ b/contrib/libfido2/.github/workflows/cifuzz_oss.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -17,7 +17,7 @@ on:
jobs:
fuzzing:
if: github.repository == 'Yubico/libfido2'
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
@@ -39,7 +39,7 @@ jobs:
fuzz-seconds: 600
dry-run: false
- name: upload crash
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
if: failure()
with:
name: ${{ matrix.sanitizer }}-artifacts
diff --git a/contrib/libfido2/.github/workflows/codeql-analysis.yml b/contrib/libfido2/.github/workflows/codeql-analysis.yml
index a3a8d54d2daa..486dd900e5bc 100644
--- a/contrib/libfido2/.github/workflows/codeql-analysis.yml
+++ b/contrib/libfido2/.github/workflows/codeql-analysis.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -22,14 +22,14 @@ permissions:
jobs:
codeql-build:
if: github.repository == 'Yubico/libfido2'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: init codeql
- uses: github/codeql-action/init@v2
+ uses: github/codeql-action/init@v3
- name: build
env:
CC: gcc
@@ -39,4 +39,4 @@ jobs:
libpcsclite-dev
./.actions/build-linux-gcc
- name: perform codeql analysis
- uses: github/codeql-action/analyze@v2
+ uses: github/codeql-action/analyze@v3
diff --git a/contrib/libfido2/.github/workflows/linux_builds.yml b/contrib/libfido2/.github/workflows/linux_builds.yml
index ec911cb92d92..a1e007daf404 100644
--- a/contrib/libfido2/.github/workflows/linux_builds.yml
+++ b/contrib/libfido2/.github/workflows/linux_builds.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -21,17 +21,16 @@ jobs:
fail-fast: false
matrix:
include:
- - { os: ubuntu-20.04, cc: gcc-8 }
- - { os: ubuntu-22.04, cc: gcc-9 }
- { os: ubuntu-22.04, cc: gcc-10 }
- { os: ubuntu-22.04, cc: gcc-11 }
- - { os: ubuntu-22.04, cc: gcc-12 }
- - { os: ubuntu-22.04, cc: clang-13 }
- - { os: ubuntu-22.04, cc: clang-14 }
- - { os: ubuntu-22.04, cc: clang-15 }
+ - { os: ubuntu-24.04, cc: gcc-12 }
+ - { os: ubuntu-24.04, cc: gcc-13 }
- { os: ubuntu-22.04, cc: clang-16 }
- - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-9 }
+ - { os: ubuntu-22.04, cc: clang-17 }
+ - { os: ubuntu-24.04, cc: clang-18 }
+ - { os: ubuntu-24.04, cc: clang-19 }
- { os: ubuntu-22.04, cc: i686-w64-mingw32-gcc-10 }
+ - { os: ubuntu-24.04, cc: i686-w64-mingw32-gcc-11 }
steps:
- uses: actions/checkout@v4
- name: dependencies
diff --git a/contrib/libfido2/.github/workflows/linux_fuzz.yml b/contrib/libfido2/.github/workflows/linux_fuzz.yml
index 296c0d9fab23..ea2d3833dca2 100644
--- a/contrib/libfido2/.github/workflows/linux_fuzz.yml
+++ b/contrib/libfido2/.github/workflows/linux_fuzz.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -20,8 +20,8 @@ jobs:
strategy:
fail-fast: false
matrix:
- os: [ ubuntu-22.04 ]
- cc: [ clang-16 ]
+ os: [ ubuntu-24.04 ]
+ cc: [ clang-19 ]
sanitizer: [ asan, msan ]
steps:
- uses: actions/checkout@v4
diff --git a/contrib/libfido2/.github/workflows/macos_builds.yml b/contrib/libfido2/.github/workflows/macos_builds.yml
index 7d84a750ac37..90466550ee69 100644
--- a/contrib/libfido2/.github/workflows/macos_builds.yml
+++ b/contrib/libfido2/.github/workflows/macos_builds.yml
@@ -20,11 +20,13 @@ jobs:
strategy:
fail-fast: false
matrix:
- os: [ macos-13, macos-12 ]
+ os: [ macos-15, macos-14, macos-13 ]
cc: [ clang ]
steps:
- uses: actions/checkout@v4
- name: dependencies
+ env:
+ HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: 1
run: brew install libcbor llvm mandoc openssl@3.0 pkg-config zlib
- name: build
env:
diff --git a/contrib/libfido2/.github/workflows/openssl3.yml b/contrib/libfido2/.github/workflows/openssl3.yml
index ee70c087d285..b51685dff102 100644
--- a/contrib/libfido2/.github/workflows/openssl3.yml
+++ b/contrib/libfido2/.github/workflows/openssl3.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -21,12 +21,12 @@ jobs:
fail-fast: false
matrix:
include:
- - os: ubuntu-22.04
- cc: gcc-11
- - os: ubuntu-22.04
- cc: clang-16
- - os: ubuntu-22.04
- cc: i686-w64-mingw32-gcc-10
+ - os: ubuntu-24.04
+ cc: gcc-13
+ - os: ubuntu-24.04
+ cc: clang-19
+ - os: ubuntu-24.04
+ cc: i686-w64-mingw32-gcc-11
steps:
- uses: actions/checkout@v4
- name: dependencies
diff --git a/contrib/libfido2/.github/workflows/shellcheck.yml b/contrib/libfido2/.github/workflows/shellcheck.yml
new file mode 100644
index 000000000000..cdda760ae2b6
--- /dev/null
+++ b/contrib/libfido2/.github/workflows/shellcheck.yml
@@ -0,0 +1,27 @@
+# Copyright (c) 2024 Google LLC. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: shellcheck
+
+on:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+ - '*-ci'
+
+jobs:
+ build:
+ runs-on: ubuntu-24.04
+ steps:
+ - uses: actions/checkout@v4
+ - name: dependencies
+ run: |
+ sudo apt -q update
+ sudo apt install -q -y shellcheck
+ - name: build
+ run: ./.actions/run-shellcheck
diff --git a/contrib/libfido2/CMakeLists.txt b/contrib/libfido2/CMakeLists.txt
index c4f7b1b7b51e..2630e263ecd2 100644
--- a/contrib/libfido2/CMakeLists.txt
+++ b/contrib/libfido2/CMakeLists.txt
@@ -28,8 +28,10 @@ endif()
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
set(CMAKE_COLOR_MAKEFILE OFF)
set(CMAKE_VERBOSE_MAKEFILE ON)
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
+
set(FIDO_MAJOR "1")
-set(FIDO_MINOR "14")
+set(FIDO_MINOR "16")
set(FIDO_PATCH "0")
set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
@@ -190,6 +192,9 @@ if(MSVC)
if(NOT CRYPTO_LIBRARIES)
set(CRYPTO_LIBRARIES crypto)
endif()
+ if(NOT CRYPTO_DLL)
+ set(CRYPTO_DLL crypto)
+ endif()
set(MSVC_DISABLED_WARNINGS_LIST
"C4152" # nonstandard extension used: function/data pointer
@@ -435,6 +440,9 @@ message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}")
if(BUILD_TESTS)
message(STATUS "CRYPTO_BIN_DIRS: ${CRYPTO_BIN_DIRS}")
endif()
+if(MSVC)
+ message(STATUS "CRYPTO_DLL: ${CRYPTO_DLL}")
+endif()
message(STATUS "CRYPTO_VERSION: ${CRYPTO_VERSION}")
message(STATUS "FIDO_VERSION: ${FIDO_VERSION}")
message(STATUS "FUZZ: ${FUZZ}")
@@ -484,7 +492,7 @@ endif()
if(BUILD_TOOLS)
add_subdirectory(tools)
endif()
-if(BUILD_MANPAGES)
+if(BUILD_MANPAGES AND NOT MSVC)
add_subdirectory(man)
endif()
diff --git a/contrib/libfido2/LICENSE b/contrib/libfido2/LICENSE
index ad0e13358930..bfafcbe13129 100644
--- a/contrib/libfido2/LICENSE
+++ b/contrib/libfido2/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2018-2023 Yubico AB. All rights reserved.
+Copyright (c) 2018-2024 Yubico AB. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
diff --git a/contrib/libfido2/NEWS b/contrib/libfido2/NEWS
index 58387ffd72bf..9f7c1563ba87 100644
--- a/contrib/libfido2/NEWS
+++ b/contrib/libfido2/NEWS
@@ -1,12 +1,34 @@
+* Version 1.16.0 (2025-05-06)
+ ** Added support for enterprise attestation.
+ ** Improved handling of invalid key handles in U2F key lookup; gh#819.
+ ** Fixed issue where storing small CTAP 2.1 largeBlobs failed; gh#826.
+ ** Fixed APDU chaining issues for certain authenticators; gh#818, gh#855.
+ ** Improved documentation and examples.
+ ** New API calls:
+ - fido_cred_entattest;
+ - fido_cred_set_entattest.
+
+* Version 1.15.0 (2024-06-13)
+ ** 1.15.0 will be the last release to support OpenSSL 1.1.
+ ** bio, credman: improved CTAP 2.1 support.
+ ** hid_osx: fix issue where fido_hid_read() may block unnecessarily; gh#757.
+ ** fido2-token -I: print maxcredbloblen.
+ ** hid_linux: improved support for uhid devices.
+ ** New API calls:
+ - fido_cred_set_attobj;
+ - fido_cred_x5c_list_count;
+ - fido_cred_x5c_list_len;
+ - fido_cred_x5c_list_ptr.
+
* Version 1.14.0 (2023-11-13)
** fido2-cred -M, fido2-token -G: support raw client data via -w flag.
** winhello: support U2F AppID extension for assertions.
** winhello: fix restrictive parsing of the hmac-secret on assertions.
** winhello: translate NTE_USER_CANCELLED to FIDO_ERR_OPERATION_DENIED; gh#685.
** New API calls:
- ** fido_assert_authdata_raw_len;
- ** fido_assert_authdata_raw_ptr;
- ** fido_assert_set_winhello_appid.
+ - fido_assert_authdata_raw_len;
+ - fido_assert_authdata_raw_ptr;
+ - fido_assert_set_winhello_appid.
* Version 1.13.0 (2023-02-20)
** Support for linking against OpenSSL on Windows; gh#668.
diff --git a/contrib/libfido2/README.adoc b/contrib/libfido2/README.adoc
index fb6f3d3eb004..38e882598ab3 100644
--- a/contrib/libfido2/README.adoc
+++ b/contrib/libfido2/README.adoc
@@ -38,7 +38,7 @@ is also available.
=== Releases
-The current release of *libfido2* is 1.14.0. Signed release tarballs are
+The current release of *libfido2* is 1.16.0. Signed release tarballs are
available at Yubico's
https://developers.yubico.com/libfido2/Releases[release page].
@@ -52,11 +52,11 @@ required.
=== Installation
-==== Fedora 35 and 34
+==== Fedora 34 and later
$ sudo dnf install libfido2 libfido2-devel fido2-tools
-==== Ubuntu 22.04 (Jammy) and 20.04 (Focal)
+==== Ubuntu 20.04 (Focal) and later
$ sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools
diff --git a/contrib/libfido2/SECURITY.md b/contrib/libfido2/SECURITY.md
index e12a48a847ba..8071bc9a460a 100644
--- a/contrib/libfido2/SECURITY.md
+++ b/contrib/libfido2/SECURITY.md
@@ -2,4 +2,4 @@
To report security issues in libfido2, please contact security@yubico.com.
A PGP public key can be found at
-https://www.yubico.com/support/security-advisories/issue-rating-system/.
+https://www.yubico.com/support/issue-rating-system/.
diff --git a/contrib/libfido2/examples/README.adoc b/contrib/libfido2/examples/README.adoc
index 6151b70bd91e..1249366f3e0f 100644
--- a/contrib/libfido2/examples/README.adoc
+++ b/contrib/libfido2/examples/README.adoc
@@ -64,7 +64,8 @@ The following examples are provided:
The -T option may be used to enforce a timeout of <seconds>. If the
option -b is specified, the credential's "largeBlob" key is stored in
<blobkey>. If the option -c is specified the the generated credential
- will be bound by the specified protection policy.
+ will be bound by the specified protection policy. If the option -a is
+ specified, enterprise attestation will be requested.
- assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin]
[-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device>
diff --git a/contrib/libfido2/examples/cred.c b/contrib/libfido2/examples/cred.c
index 5a2a27fd7771..4fb07868b4e7 100644
--- a/contrib/libfido2/examples/cred.c
+++ b/contrib/libfido2/examples/cred.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2023 Yubico AB. All rights reserved.
+ * Copyright (c) 2018-2024 Yubico AB. All rights reserved.
* Use of this source code is governed by a BSD-style
* license that can be found in the LICENSE file.
* SPDX-License-Identifier: BSD-2-Clause
@@ -36,7 +36,8 @@ static void
usage(void)
{
fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] "
- "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] "
+ "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] "
+ "[-a mode] [-hruv] "
"<device>\n");
exit(EXIT_FAILURE);
}
@@ -106,9 +107,13 @@ verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr,
if (r != FIDO_OK)
errx(1, "fido_cred_set_attstmt: %s (0x%x)", fido_strerr(r), r);
- r = fido_cred_verify(cred);
- if (r != FIDO_OK)
- errx(1, "fido_cred_verify: %s (0x%x)", fido_strerr(r), r);
+ if (fido_cred_x5c_ptr(cred) == NULL) {
+ if ((r = fido_cred_verify_self(cred)) != FIDO_OK)
+ errx(1, "fido_cred_verify_self: %s (0x%x)", fido_strerr(r), r);
+ } else {
+ if ((r = fido_cred_verify(cred)) != FIDO_OK)
+ errx(1, "fido_cred_verify: %s (0x%x)", fido_strerr(r), r);
+ }
out:
if (key_out != NULL) {
@@ -166,11 +171,12 @@ main(int argc, char **argv)
int ch;
int r;
long long cred_protect = 0;
+ long long ea = 0;
if ((cred = fido_cred_new()) == NULL)
errx(1, "fido_cred_new");
- while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uvc:")) != -1) {
+ while ((ch = getopt(argc, argv, "P:T:a:b:e:hi:k:rt:uvc:")) != -1) {
switch (ch) {
case 'P':
pin = optarg;
@@ -182,6 +188,12 @@ main(int argc, char **argv)
errx(1, "-T: %s must be in (0,30]", optarg);
ms *= 1000; /* seconds to milliseconds */
break;
+ case 'a':
+ if (base10(optarg, &ea) < 0)
+ errx(1, "base10: %s", optarg);
+ if (ea <= 0 || ea > 2)
+ errx(1, "-a: %s must be in (0,2]", optarg);
+ break;
case 'b':
ext |= FIDO_EXT_LARGEBLOB_KEY;
blobkey_out = optarg;
@@ -203,7 +215,7 @@ main(int argc, char **argv)
if (base10(optarg, &cred_protect) < 0)
errx(1, "base10: %s", optarg);
if (cred_protect <= 0 || cred_protect > 3)
- errx(1, "-c: %s must be in (1,3)", optarg);
+ errx(1, "-c: %s must be in (0,3]", optarg);
ext |= FIDO_EXT_CRED_PROTECT;
break;
case 'i':
@@ -293,6 +305,9 @@ main(int argc, char **argv)
if (cred_protect != 0 && (r = fido_cred_set_prot(cred,
(int)cred_protect)) != FIDO_OK)
errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r);
+
+ if (ea != 0 && (r = fido_cred_set_entattest(cred, (int)ea)) != FIDO_OK)
+ errx(1, "fido_cred_set_entattest: %s (0x%x)", fido_strerr(r), r);
/* timeout */
if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK)
diff --git a/contrib/libfido2/fuzz/CMakeLists.txt b/contrib/libfido2/fuzz/CMakeLists.txt
index cc30baae88f2..0bf4bfbf05a5 100644
--- a/contrib/libfido2/fuzz/CMakeLists.txt
+++ b/contrib/libfido2/fuzz/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2019-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2019-2024 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
@@ -18,6 +18,10 @@ set(FUZZ_LINKER_LANGUAGE "C" CACHE STRING "Linker language for fuzz harnesses")
mark_as_advanced(FUZZ_LINKER_LANGUAGE)
enable_language(${FUZZ_LINKER_LANGUAGE})
+if(NOT FUZZ_LDFLAGS)
+ message(FATAL_ERROR "Please define FUZZ_LDFLAGS")
+endif()
+
# fuzz_cred
add_executable(fuzz_cred fuzz_cred.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
set_target_properties(fuzz_cred PROPERTIES
@@ -80,3 +84,10 @@ set_target_properties(fuzz_pcsc PROPERTIES
LINK_FLAGS ${FUZZ_LDFLAGS}
LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
target_link_libraries(fuzz_pcsc fido2_shared)
+
+# fuzz_attobj
+add_executable(fuzz_attobj fuzz_attobj.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
+set_target_properties(fuzz_attobj PROPERTIES
+ LINK_FLAGS ${FUZZ_LDFLAGS}
+ LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
+target_link_libraries(fuzz_attobj fido2_shared)
diff --git a/contrib/libfido2/fuzz/Dockerfile b/contrib/libfido2/fuzz/Dockerfile
index 7b26e6ec3b19..1ab14c33da75 100644
--- a/contrib/libfido2/fuzz/Dockerfile
+++ b/contrib/libfido2/fuzz/Dockerfile
@@ -10,7 +10,7 @@ RUN apk -q update
RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils
RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev
RUN apk add sudo tar zlib-dev
-RUN git clone --branch v0.10.2 --depth=1 https://github.com/PJK/libcbor
+RUN git clone --branch v0.12.0 --depth=1 https://github.com/PJK/libcbor
RUN git clone --depth=1 https://github.com/yubico/libfido2
WORKDIR /libfido2
RUN ./fuzz/build-coverage /libcbor /libfido2
diff --git a/contrib/libfido2/fuzz/Makefile b/contrib/libfido2/fuzz/Makefile
index 55a506bc8312..a7ac24c0da58 100644
--- a/contrib/libfido2/fuzz/Makefile
+++ b/contrib/libfido2/fuzz/Makefile
@@ -3,12 +3,12 @@
# license that can be found in the LICENSE file.
# SPDX-License-Identifier: BSD-2-Clause
-IMAGE := libfido2-coverage:1.14.0
+IMAGE := libfido2-coverage:1.16.0
RUNNER := libfido2-runner
PROFDATA := llvm-profdata
COV := llvm-cov
-TARGETS := fuzz_assert fuzz_bio fuzz_cred fuzz_credman fuzz_hid \
- fuzz_largeblob fuzz_netlink fuzz_mgmt fuzz_pcsc
+TARGETS := fuzz_assert fuzz_attobj fuzz_bio fuzz_cred fuzz_credman \
+ fuzz_hid fuzz_largeblob fuzz_netlink fuzz_mgmt fuzz_pcsc
CORPORA := $(foreach f,${TARGETS},${f}/corpus)
MINIFY := $(foreach f,${TARGETS},/minify/${f}/corpus)
REMOTE := gs://libfido2-corpus.clusterfuzz-external.appspot.com
diff --git a/contrib/libfido2/fuzz/export.gnu b/contrib/libfido2/fuzz/export.gnu
index bc25dd66cba7..62dfda926944 100644
--- a/contrib/libfido2/fuzz/export.gnu
+++ b/contrib/libfido2/fuzz/export.gnu
@@ -127,6 +127,7 @@
fido_cred_clientdata_hash_len;
fido_cred_clientdata_hash_ptr;
fido_cred_display_name;
+ fido_cred_entattest;
fido_cred_exclude;
fido_cred_flags;
fido_cred_largeblob_key_len;
@@ -166,11 +167,13 @@
fido_cred_rp_id;
fido_cred_rp_name;
fido_cred_set_attstmt;
+ fido_cred_set_attobj;
fido_cred_set_authdata;
fido_cred_set_authdata_raw;
fido_cred_set_blob;
fido_cred_set_clientdata;
fido_cred_set_clientdata_hash;
+ fido_cred_set_entattest;
fido_cred_set_extensions;
fido_cred_set_fmt;
fido_cred_set_id;
@@ -193,6 +196,9 @@
fido_cred_verify;
fido_cred_verify_self;
fido_cred_x5c_len;
+ fido_cred_x5c_list_count;
+ fido_cred_x5c_list_len;
+ fido_cred_x5c_list_ptr;
fido_cred_x5c_ptr;
fido_dev_build;
fido_dev_cancel;
diff --git a/contrib/libfido2/fuzz/functions.txt b/contrib/libfido2/fuzz/functions.txt
index 4ad5a0c83f5c..5dab11c62d50 100644
--- a/contrib/libfido2/fuzz/functions.txt
+++ b/contrib/libfido2/fuzz/functions.txt
@@ -1,31 +1,31 @@
File '/libfido2/src/aes256.c':
Name Regions Miss Cover Lines Miss Cover
---------------------------------------------------------------------------------------------------------
+------------------------------------------------------------------------------
aes256_cbc_enc 4 0 100.00% 4 0 100.00%
aes256_cbc_dec 4 0 100.00% 4 0 100.00%
aes256_gcm_enc 1 0 100.00% 3 0 100.00%
aes256_gcm_dec 1 0 100.00% 3 0 100.00%
-aes256.c:aes256_cbc_fips 26 1 96.15% 42 4 90.48%
-aes256.c:aes256_cbc 29 1 96.55% 36 3 91.67%
+aes256.c:aes256_cbc_fips 29 1 96.55% 42 4 90.48%
+aes256.c:aes256_cbc 37 1 97.30% 36 3 91.67%
aes256.c:aes256_cbc_proto1 1 0 100.00% 5 0 100.00%
-aes256.c:aes256_gcm 52 1 98.08% 60 4 93.33%
---------------------------------------------------------------------------------------------------------
-TOTAL 118 3 97.46% 157 11 92.99%
+aes256.c:aes256_gcm 73 3 95.89% 64 10 84.38%
+------------------------------------------------------------------------------
+TOTAL 150 5 96.67% 161 17 89.44%
File '/libfido2/src/assert.c':
Name Regions Miss Cover Lines Miss Cover
------------------------------------------------------------------------------------------------------------------
-fido_dev_get_assert 40 0 100.00% 35 0 100.00%
+---------------------------------------------------------------------------------------
+fido_dev_get_assert 50 0 100.00% 35 0 100.00%
fido_check_flags 13 0 100.00% 15 0 100.00%
-fido_get_signed_hash 20 1 95.00% 34 3 91.18%
-fido_assert_verify 50 4 92.00% 70 7 90.00%
+fido_get_signed_hash 27 1 96.30% 34 3 91.18%
+fido_assert_verify 59 4 93.22% 70 7 90.00%
fido_assert_set_clientdata 12 12 0.00% 11 11 0.00%
fido_assert_set_clientdata_hash 8 0 100.00% 6 0 100.00%
fido_assert_set_hmac_salt 10 0 100.00% 6 0 100.00%
fido_assert_set_hmac_secret 12 12 0.00% 7 7 0.00%
-fido_assert_set_rp 12 0 100.00% 11 0 100.00%
+fido_assert_set_rp 16 0 100.00% 11 0 100.00%
fido_assert_set_winhello_appid 2 2 0.00% 5 5 0.00%
-fido_assert_allow_cred 13 2 84.62% 22 3 86.36%
+fido_assert_allow_cred 16 2 87.50% 22 3 86.36%
fido_assert_empty_allow_list 2 0 100.00% 5 0 100.00%
fido_assert_set_extensions 14 0 100.00% 10 0 100.00%
fido_assert_set_options 8 8 0.00% 5 5 0.00%
@@ -34,71 +34,71 @@ fido_assert_set_uv 2 0 100.00% 4 0
fido_assert_clientdata_hash_ptr 1 0 100.00% 3 0 100.00%
fido_assert_clientdata_hash_len 1 0 100.00% 3 0 100.00%
*** 6320 LINES SKIPPED ***