Date: Fri, 22 Sep 2023 11:03:46 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 5bfbde817cde - stable/14 - libfido2: update to 1.13.0 Message-ID: <202309221103.38MB3kMc065344@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=5bfbde817cdedbd7309c38a361cd1211bdcdd70e commit 5bfbde817cdedbd7309c38a361cd1211bdcdd70e Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-09-19 17:06:12 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-09-22 11:03:36 +0000 libfido2: update to 1.13.0 Some highlights from NEWS entries: ** Improved OpenSSL 3.0 compatibility. ** Support for hidraw(4) on FreeBSD; gh#597. ** Improved support for FIDO 2.1 authenticators. PR: 273596 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 2ccfa855b2fc331819953e3de1b1c15ce5b95a7e) --- contrib/libfido2/CMakeLists.txt | 142 ++++++-- contrib/libfido2/LICENSE | 4 +- contrib/libfido2/NEWS | 41 +++ contrib/libfido2/README.adoc | 114 +++++-- contrib/libfido2/examples/CMakeLists.txt | 12 +- contrib/libfido2/examples/README.adoc | 17 +- contrib/libfido2/examples/assert.c | 33 +- contrib/libfido2/examples/cred.c | 29 +- contrib/libfido2/examples/extern.h | 8 +- contrib/libfido2/examples/info.c | 101 +++++- contrib/libfido2/examples/manifest.c | 1 + contrib/libfido2/examples/reset.c | 1 + contrib/libfido2/examples/retries.c | 3 +- contrib/libfido2/examples/select.c | 5 +- contrib/libfido2/examples/setpin.c | 3 +- contrib/libfido2/examples/util.c | 65 +++- contrib/libfido2/fuzz/CMakeLists.txt | 55 ++- contrib/libfido2/fuzz/Dockerfile | 22 +- contrib/libfido2/fuzz/Makefile | 35 +- contrib/libfido2/fuzz/README | 22 +- contrib/libfido2/fuzz/build-coverage | 7 +- contrib/libfido2/fuzz/clock.c | 1 + contrib/libfido2/fuzz/dummy.h | 5 +- contrib/libfido2/fuzz/export.gnu | 32 +- contrib/libfido2/fuzz/functions.txt | 404 ++++++++++++++--------- contrib/libfido2/fuzz/fuzz_assert.c | 43 ++- contrib/libfido2/fuzz/fuzz_bio.c | 5 +- contrib/libfido2/fuzz/fuzz_cred.c | 10 +- contrib/libfido2/fuzz/fuzz_credman.c | 5 +- contrib/libfido2/fuzz/fuzz_hid.c | 5 +- contrib/libfido2/fuzz/fuzz_largeblob.c | 5 +- contrib/libfido2/fuzz/fuzz_mgmt.c | 34 +- contrib/libfido2/fuzz/fuzz_netlink.c | 5 +- contrib/libfido2/fuzz/fuzz_pcsc.c | 269 +++++++++++++++ contrib/libfido2/fuzz/libfuzzer.c | 61 +++- contrib/libfido2/fuzz/mutator_aux.c | 21 +- contrib/libfido2/fuzz/mutator_aux.h | 22 +- contrib/libfido2/fuzz/pcsc.c | 153 +++++++++ contrib/libfido2/fuzz/preload-fuzz.c | 1 + contrib/libfido2/fuzz/preload-snoop.c | 1 + contrib/libfido2/fuzz/report.tgz | Bin 323706 -> 357005 bytes contrib/libfido2/fuzz/summary.txt | 77 +++-- contrib/libfido2/fuzz/udev.c | 3 +- contrib/libfido2/fuzz/wiredata_fido2.h | 77 ++++- contrib/libfido2/fuzz/wiredata_u2f.h | 1 + contrib/libfido2/fuzz/wrap.c | 67 +++- contrib/libfido2/fuzz/wrapped.sym | 10 + contrib/libfido2/man/CMakeLists.txt | 53 ++- contrib/libfido2/man/check.sh | 1 + contrib/libfido2/man/eddsa_pk_new.3 | 32 +- contrib/libfido2/man/es256_pk_new.3 | 32 +- contrib/libfido2/man/es384_pk_new.3 | 164 +++++++++ contrib/libfido2/man/fido2-assert.1 | 27 +- contrib/libfido2/man/fido2-cred.1 | 27 +- contrib/libfido2/man/fido2-token.1 | 51 ++- contrib/libfido2/man/fido_assert_allow_cred.3 | 45 ++- contrib/libfido2/man/fido_assert_new.3 | 37 ++- contrib/libfido2/man/fido_assert_set_authdata.3 | 33 +- contrib/libfido2/man/fido_assert_verify.3 | 33 +- contrib/libfido2/man/fido_bio_dev_get_info.3 | 27 +- contrib/libfido2/man/fido_bio_enroll_new.3 | 27 +- contrib/libfido2/man/fido_bio_info_new.3 | 27 +- contrib/libfido2/man/fido_bio_template.3 | 27 +- contrib/libfido2/man/fido_cbor_info_new.3 | 169 +++++++++- contrib/libfido2/man/fido_cred_exclude.3 | 45 ++- contrib/libfido2/man/fido_cred_new.3 | 29 +- contrib/libfido2/man/fido_cred_set_authdata.3 | 46 ++- contrib/libfido2/man/fido_cred_verify.3 | 27 +- contrib/libfido2/man/fido_credman_metadata_new.3 | 27 +- contrib/libfido2/man/fido_dev_enable_entattest.3 | 38 ++- contrib/libfido2/man/fido_dev_get_assert.3 | 27 +- contrib/libfido2/man/fido_dev_get_touch_begin.3 | 27 +- contrib/libfido2/man/fido_dev_info_manifest.3 | 31 +- contrib/libfido2/man/fido_dev_largeblob_get.3 | 34 +- contrib/libfido2/man/fido_dev_make_cred.3 | 27 +- contrib/libfido2/man/fido_dev_open.3 | 27 +- contrib/libfido2/man/fido_dev_set_io_functions.3 | 27 +- contrib/libfido2/man/fido_dev_set_pin.3 | 29 +- contrib/libfido2/man/fido_init.3 | 27 +- contrib/libfido2/man/fido_strerr.3 | 27 +- contrib/libfido2/man/rs256_pk_new.3 | 32 +- contrib/libfido2/openbsd-compat/bsd-asprintf.c | 88 +++++ contrib/libfido2/openbsd-compat/clock_gettime.c | 1 + contrib/libfido2/openbsd-compat/endian_win32.c | 1 + contrib/libfido2/openbsd-compat/openbsd-compat.h | 5 + contrib/libfido2/regress/CMakeLists.txt | 57 +++- contrib/libfido2/regress/assert.c | 14 +- contrib/libfido2/regress/compress.c | 268 +++++++++++++++ contrib/libfido2/regress/cred.c | 15 +- contrib/libfido2/regress/dev.c | 43 ++- contrib/libfido2/regress/eddsa.c | 159 +++++++++ contrib/libfido2/regress/es256.c | 199 +++++++++++ contrib/libfido2/regress/es384.c | 213 ++++++++++++ contrib/libfido2/regress/rs256.c | 201 +++++++++++ contrib/libfido2/src/CMakeLists.txt | 31 +- contrib/libfido2/src/aes256.c | 1 + contrib/libfido2/src/assert.c | 206 ++++++++---- contrib/libfido2/src/authkey.c | 26 +- contrib/libfido2/src/bio.c | 116 ++++--- contrib/libfido2/src/blob.c | 1 + contrib/libfido2/src/blob.h | 1 + contrib/libfido2/src/buf.c | 1 + contrib/libfido2/src/cbor.c | 52 ++- contrib/libfido2/src/compress.c | 145 +++++++- contrib/libfido2/src/config.c | 28 +- contrib/libfido2/src/cred.c | 45 ++- contrib/libfido2/src/credman.c | 162 +++++---- contrib/libfido2/src/dev.c | 229 +++---------- contrib/libfido2/src/diff_exports.sh | 1 + contrib/libfido2/src/ecdh.c | 1 + contrib/libfido2/src/eddsa.c | 14 +- contrib/libfido2/src/err.c | 1 + contrib/libfido2/src/es256.c | 66 ++-- contrib/libfido2/src/es384.c | 296 +++++++++++++++++ contrib/libfido2/src/export.gnu | 22 +- contrib/libfido2/src/export.llvm | 22 +- contrib/libfido2/src/export.msvc | 22 +- contrib/libfido2/src/extern.h | 30 +- contrib/libfido2/src/fallthrough.h | 21 ++ contrib/libfido2/src/fido.h | 46 ++- contrib/libfido2/src/fido/bio.h | 26 +- contrib/libfido2/src/fido/config.h | 26 +- contrib/libfido2/src/fido/credman.h | 26 +- contrib/libfido2/src/fido/eddsa.h | 28 +- contrib/libfido2/src/fido/err.h | 26 +- contrib/libfido2/src/fido/es256.h | 26 +- contrib/libfido2/src/fido/es384.h | 59 ++++ contrib/libfido2/src/fido/param.h | 57 +++- contrib/libfido2/src/fido/rs256.h | 26 +- contrib/libfido2/src/fido/types.h | 78 ++++- contrib/libfido2/src/hid.c | 1 + contrib/libfido2/src/hid_freebsd.c | 1 + contrib/libfido2/src/hid_hidapi.c | 13 +- contrib/libfido2/src/hid_linux.c | 50 ++- contrib/libfido2/src/hid_netbsd.c | 1 + contrib/libfido2/src/hid_openbsd.c | 101 +++--- contrib/libfido2/src/hid_osx.c | 26 +- contrib/libfido2/src/hid_unix.c | 1 + contrib/libfido2/src/hid_win.c | 5 +- contrib/libfido2/src/info.c | 171 +++++++++- contrib/libfido2/src/io.c | 26 +- contrib/libfido2/src/iso7816.c | 1 + contrib/libfido2/src/iso7816.h | 1 + contrib/libfido2/src/largeblob.c | 34 +- contrib/libfido2/src/log.c | 1 + contrib/libfido2/src/netlink.c | 1 + contrib/libfido2/src/netlink.h | 1 + contrib/libfido2/src/nfc.c | 350 ++++++++++++++++++++ contrib/libfido2/src/nfc_linux.c | 387 +++------------------- contrib/libfido2/src/packed.h | 1 + contrib/libfido2/src/pcsc.c | 394 ++++++++++++++++++++++ contrib/libfido2/src/pin.c | 77 +++-- contrib/libfido2/src/random.c | 1 + contrib/libfido2/src/reset.c | 1 + contrib/libfido2/src/rs1.c | 3 +- contrib/libfido2/src/rs256.c | 29 +- contrib/libfido2/src/time.c | 1 + contrib/libfido2/src/touch.c | 109 ++++++ contrib/libfido2/src/tpm.c | 3 +- contrib/libfido2/src/types.c | 17 +- contrib/libfido2/src/u2f.c | 93 ++++-- contrib/libfido2/src/util.c | 31 ++ contrib/libfido2/src/webauthn.h | 75 ++++- contrib/libfido2/src/winhello.c | 122 +++++-- contrib/libfido2/tools/CMakeLists.txt | 12 +- contrib/libfido2/tools/assert_get.c | 7 +- contrib/libfido2/tools/assert_verify.c | 30 +- contrib/libfido2/tools/base64.c | 1 + contrib/libfido2/tools/bio.c | 1 + contrib/libfido2/tools/config.c | 1 + contrib/libfido2/tools/cred_make.c | 7 +- contrib/libfido2/tools/cred_verify.c | 1 + contrib/libfido2/tools/credman.c | 1 + contrib/libfido2/tools/extern.h | 4 +- contrib/libfido2/tools/fido2-assert.c | 1 + contrib/libfido2/tools/fido2-attach.sh | 1 + contrib/libfido2/tools/fido2-cred.c | 1 + contrib/libfido2/tools/fido2-detach.sh | 1 + contrib/libfido2/tools/fido2-token.c | 1 + contrib/libfido2/tools/fido2-unprot.sh | 1 + contrib/libfido2/tools/include_check.sh | 1 + contrib/libfido2/tools/largeblob.c | 59 +++- contrib/libfido2/tools/pin.c | 26 +- contrib/libfido2/tools/test.sh | 46 +-- contrib/libfido2/tools/token.c | 159 ++++++++- contrib/libfido2/tools/util.c | 70 +++- contrib/libfido2/udev/70-u2f.rules | 39 ++- contrib/libfido2/udev/CMakeLists.txt | 1 + contrib/libfido2/udev/check.sh | 1 + contrib/libfido2/udev/fidodevs | 3 + contrib/libfido2/udev/genrules.awk | 32 +- contrib/libfido2/windows/build.ps1 | 32 +- contrib/libfido2/windows/const.ps1 | 14 +- contrib/libfido2/windows/cygwin.ps1 | 2 + contrib/libfido2/windows/release.ps1 | 30 +- lib/libfido2/Makefile | 6 +- 196 files changed, 7592 insertions(+), 1733 deletions(-) diff --git a/contrib/libfido2/CMakeLists.txt b/contrib/libfido2/CMakeLists.txt index 11a51ac5a645..6fa341a01cc6 100644 --- a/contrib/libfido2/CMakeLists.txt +++ b/contrib/libfido2/CMakeLists.txt @@ -1,6 +1,7 @@ -# Copyright (c) 2018-2021 Yubico AB. All rights reserved. +# Copyright (c) 2018-2022 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. +# SPDX-License-Identifier: BSD-2-Clause # detect AppleClang; needs to come before project() cmake_policy(SET CMP0025 NEW) @@ -28,18 +29,19 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) set(CMAKE_COLOR_MAKEFILE OFF) set(CMAKE_VERBOSE_MAKEFILE ON) set(FIDO_MAJOR "1") -set(FIDO_MINOR "10") +set(FIDO_MINOR "13") set(FIDO_PATCH "0") set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) +option(BUILD_TESTS "Build the regress tests" ON) option(BUILD_EXAMPLES "Build example programs" ON) option(BUILD_MANPAGES "Build man pages" ON) -option(BUILD_SHARED_LIBS "Build the shared library" ON) -option(BUILD_STATIC_LIBS "Build the static library" ON) +option(BUILD_SHARED_LIBS "Build a shared library" ON) +option(BUILD_STATIC_LIBS "Build a static library" ON) option(BUILD_TOOLS "Build tool programs" ON) option(FUZZ "Enable fuzzing instrumentation" OFF) -option(LIBFUZZER "Build libfuzzer harnesses" OFF) option(USE_HIDAPI "Use hidapi as the HID backend" OFF) +option(USE_PCSC "Enable experimental PCSC support" OFF) option(USE_WINHELLO "Abstract Windows Hello as a FIDO device" ON) option(NFC_LINUX "Enable NFC support on Linux" ON) @@ -47,6 +49,14 @@ add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR}) add_definitions(-D_FIDO_MINOR=${FIDO_MINOR}) add_definitions(-D_FIDO_PATCH=${FIDO_PATCH}) +if(BUILD_SHARED_LIBS) + set(_FIDO2_LIBRARY fido2_shared) +elseif(BUILD_STATIC_LIBS) + set(_FIDO2_LIBRARY fido2) +else() + message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)") +endif() + if(CYGWIN OR MSYS OR MINGW) set(WIN32 1) endif() @@ -66,7 +76,7 @@ if(NOT MSVC) if(APPLE) set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_DARWIN_C_SOURCE") set(FIDO_CFLAGS "${FIDO_CFLAGS} -D__STDC_WANT_LIB_EXT1__=1") - elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux") + elseif((CMAKE_SYSTEM_NAME STREQUAL "Linux") OR MINGW OR CYGWIN) set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_GNU_SOURCE") set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_DEFAULT_SOURCE") elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD" OR @@ -91,6 +101,7 @@ check_include_files(sys/random.h HAVE_SYS_RANDOM_H) check_include_files(unistd.h HAVE_UNISTD_H) check_symbol_exists(arc4random_buf stdlib.h HAVE_ARC4RANDOM_BUF) +check_symbol_exists(asprintf stdio.h HAVE_ASPRINTF) check_symbol_exists(clock_gettime time.h HAVE_CLOCK_GETTIME) check_symbol_exists(explicit_bzero string.h HAVE_EXPLICIT_BZERO) check_symbol_exists(freezero stdlib.h HAVE_FREEZERO) @@ -116,6 +127,7 @@ try_compile(HAVE_POSIX_IOCTL list(APPEND CHECK_VARIABLES HAVE_ARC4RANDOM_BUF + HAVE_ASPRINTF HAVE_CBOR_H HAVE_CLOCK_GETTIME HAVE_ENDIAN_H @@ -147,7 +159,7 @@ foreach(v ${CHECK_VARIABLES}) endif() endforeach() -if(HAVE_EXPLICIT_BZERO AND NOT LIBFUZZER) +if(HAVE_EXPLICIT_BZERO AND NOT FUZZ) add_definitions(-DHAVE_EXPLICIT_BZERO) endif() @@ -155,19 +167,30 @@ if(UNIX) add_definitions(-DHAVE_DEV_URANDOM) endif() + if(MSVC) if((NOT CBOR_INCLUDE_DIRS) OR (NOT CBOR_LIBRARY_DIRS) OR - (NOT CBOR_BIN_DIRS) OR (NOT CRYPTO_INCLUDE_DIRS) OR - (NOT CRYPTO_LIBRARY_DIRS) OR (NOT CRYPTO_BIN_DIRS) OR - (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS) OR - (NOT ZLIB_BIN_DIRS)) + (NOT CRYPTO_INCLUDE_DIRS) OR (NOT CRYPTO_LIBRARY_DIRS) OR + (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS)) message(FATAL_ERROR "please define " - "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY,BIN}_DIRS when " + "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY}_DIRS when " "building under msvc") endif() - set(CBOR_LIBRARIES cbor) - set(ZLIB_LIBRARIES zlib) - set(CRYPTO_LIBRARIES crypto-47) + if(BUILD_TESTS AND BUILD_SHARED_LIBS AND + ((NOT CBOR_BIN_DIRS) OR (NOT ZLIB_BIN_DIRS) OR (NOT CRYPTO_BIN_DIRS))) + message(FATAL_ERROR "please define {CBOR,CRYPTO,ZLIB}_BIN_DIRS " + "when building tests") + endif() + if(NOT CBOR_LIBRARIES) + set(CBOR_LIBRARIES cbor) + endif() + if(NOT ZLIB_LIBRARIES) + set(ZLIB_LIBRARIES zlib1) + endif() + if(NOT CRYPTO_LIBRARIES) + set(CRYPTO_LIBRARIES crypto) + endif() + set(MSVC_DISABLED_WARNINGS_LIST "C4152" # nonstandard extension used: function/data pointer # conversion in expression; @@ -209,8 +232,12 @@ else() message(FATAL_ERROR "could not find zlib") endif() - set(CBOR_LIBRARIES "cbor") - set(CRYPTO_LIBRARIES "crypto") + if(NOT CBOR_LIBRARIES) + set(CBOR_LIBRARIES "cbor") + endif() + if(NOT CRYPTO_LIBRARIES) + set(CRYPTO_LIBRARIES "crypto") + endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") pkg_search_module(UDEV libudev REQUIRED) @@ -237,6 +264,17 @@ else() add_compile_options(-Wno-unused-parameter) endif() + if(FUZZ) + set(USE_PCSC ON) + add_definitions(-DFIDO_FUZZ) + endif() + + # If building with PCSC, look for pcsc-lite. + if(USE_PCSC AND NOT (APPLE OR CYGWIN OR MSYS OR MINGW)) + pkg_search_module(PCSC libpcsclite REQUIRED) + set(PCSC_LIBRARIES pcsclite) + endif() + if(USE_HIDAPI) add_definitions(-DUSE_HIDAPI) pkg_search_module(HIDAPI hidapi${HIDAPI_SUFFIX} REQUIRED) @@ -244,7 +282,7 @@ else() endif() if(NFC_LINUX) - add_definitions(-DNFC_LINUX) + add_definitions(-DUSE_NFC) endif() if(WIN32) @@ -263,16 +301,21 @@ else() add_compile_options(-Wwrite-strings) add_compile_options(-Wmissing-prototypes) add_compile_options(-Wbad-function-cast) + add_compile_options(-Wimplicit-fallthrough) add_compile_options(-pedantic) add_compile_options(-pedantic-errors) + set(EXTRA_CFLAGS "-Wconversion -Wsign-conversion") + if(WIN32) add_compile_options(-Wno-type-limits) add_compile_options(-Wno-cast-function-type) endif() + if(HAVE_SHORTEN_64_TO_32) add_compile_options(-Wshorten-64-to-32) endif() + if(HAVE_STACK_PROTECTOR_ALL) add_compile_options(-fstack-protector-all) endif() @@ -285,12 +328,8 @@ else() add_definitions(-DOPENSSL_API_COMPAT=0x10100000L) endif() - if(FUZZ) - add_definitions(-DFIDO_FUZZ) - endif() - - if(LIBFUZZER) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link") + if(NOT FUZZ) + set(EXTRA_CFLAGS "${EXTRA_CFLAGS} -Wframe-larger-than=2047") endif() endif() @@ -309,6 +348,10 @@ elseif(WIN32) endif() add_definitions(-DTLS=${TLS}) +if(USE_PCSC) + add_definitions(-DUSE_PCSC) +endif() + # export list if(APPLE AND (CMAKE_C_COMPILER_ID STREQUAL "Clang" OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang")) @@ -345,16 +388,18 @@ else() " /def:\"${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc\"") endif() -include_directories(${CMAKE_SOURCE_DIR}/src) +include_directories(${PROJECT_SOURCE_DIR}/src) include_directories(${CBOR_INCLUDE_DIRS}) include_directories(${CRYPTO_INCLUDE_DIRS}) include_directories(${HIDAPI_INCLUDE_DIRS}) +include_directories(${PCSC_INCLUDE_DIRS}) include_directories(${UDEV_INCLUDE_DIRS}) include_directories(${ZLIB_INCLUDE_DIRS}) link_directories(${CBOR_LIBRARY_DIRS}) link_directories(${CRYPTO_LIBRARY_DIRS}) link_directories(${HIDAPI_LIBRARY_DIRS}) +link_directories(${PCSC_LIBRARY_DIRS}) link_directories(${UDEV_LIBRARY_DIRS}) link_directories(${ZLIB_LIBRARY_DIRS}) @@ -367,24 +412,41 @@ message(STATUS "BUILD_TOOLS: ${BUILD_TOOLS}") message(STATUS "CBOR_INCLUDE_DIRS: ${CBOR_INCLUDE_DIRS}") message(STATUS "CBOR_LIBRARIES: ${CBOR_LIBRARIES}") message(STATUS "CBOR_LIBRARY_DIRS: ${CBOR_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "CBOR_BIN_DIRS: ${CBOR_BIN_DIRS}") +endif() message(STATUS "CBOR_VERSION: ${CBOR_VERSION}") message(STATUS "CMAKE_BUILD_TYPE: ${CMAKE_BUILD_TYPE}") message(STATUS "CMAKE_C_COMPILER: ${CMAKE_C_COMPILER}") message(STATUS "CMAKE_C_COMPILER_ID: ${CMAKE_C_COMPILER_ID}") message(STATUS "CMAKE_C_FLAGS: ${CMAKE_C_FLAGS}") +message(STATUS "CMAKE_CROSSCOMPILING: ${CMAKE_CROSSCOMPILING}") +message(STATUS "CMAKE_GENERATOR_PLATFORM: ${CMAKE_GENERATOR_PLATFORM}") +message(STATUS "CMAKE_HOST_SYSTEM_NAME: ${CMAKE_HOST_SYSTEM_NAME}") +message(STATUS "CMAKE_HOST_SYSTEM_PROCESSOR: ${CMAKE_HOST_SYSTEM_PROCESSOR}") message(STATUS "CMAKE_INSTALL_LIBDIR: ${CMAKE_INSTALL_LIBDIR}") message(STATUS "CMAKE_INSTALL_PREFIX: ${CMAKE_INSTALL_PREFIX}") message(STATUS "CMAKE_SYSTEM_NAME: ${CMAKE_SYSTEM_NAME}") +message(STATUS "CMAKE_SYSTEM_PROCESSOR: ${CMAKE_SYSTEM_PROCESSOR}") message(STATUS "CMAKE_SYSTEM_VERSION: ${CMAKE_SYSTEM_VERSION}") message(STATUS "CRYPTO_INCLUDE_DIRS: ${CRYPTO_INCLUDE_DIRS}") message(STATUS "CRYPTO_LIBRARIES: ${CRYPTO_LIBRARIES}") message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "CRYPTO_BIN_DIRS: ${CRYPTO_BIN_DIRS}") +endif() message(STATUS "CRYPTO_VERSION: ${CRYPTO_VERSION}") message(STATUS "FIDO_VERSION: ${FIDO_VERSION}") message(STATUS "FUZZ: ${FUZZ}") +if(FUZZ) + message(STATUS "FUZZ_LDFLAGS: ${FUZZ_LDFLAGS}") +endif() message(STATUS "ZLIB_INCLUDE_DIRS: ${ZLIB_INCLUDE_DIRS}") message(STATUS "ZLIB_LIBRARIES: ${ZLIB_LIBRARIES}") message(STATUS "ZLIB_LIBRARY_DIRS: ${ZLIB_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "ZLIB_BIN_DIRS: ${ZLIB_BIN_DIRS}") +endif() message(STATUS "ZLIB_VERSION: ${ZLIB_VERSION}") if(USE_HIDAPI) message(STATUS "HIDAPI_INCLUDE_DIRS: ${HIDAPI_INCLUDE_DIRS}") @@ -392,7 +454,10 @@ if(USE_HIDAPI) message(STATUS "HIDAPI_LIBRARY_DIRS: ${HIDAPI_LIBRARY_DIRS}") message(STATUS "HIDAPI_VERSION: ${HIDAPI_VERSION}") endif() -message(STATUS "LIBFUZZER: ${LIBFUZZER}") +message(STATUS "PCSC_INCLUDE_DIRS: ${PCSC_INCLUDE_DIRS}") +message(STATUS "PCSC_LIBRARIES: ${PCSC_LIBRARIES}") +message(STATUS "PCSC_LIBRARY_DIRS: ${PCSC_LIBRARY_DIRS}") +message(STATUS "PCSC_VERSION: ${PCSC_VERSION}") message(STATUS "TLS: ${TLS}") message(STATUS "UDEV_INCLUDE_DIRS: ${UDEV_INCLUDE_DIRS}") message(STATUS "UDEV_LIBRARIES: ${UDEV_LIBRARIES}") @@ -400,29 +465,34 @@ message(STATUS "UDEV_LIBRARY_DIRS: ${UDEV_LIBRARY_DIRS}") message(STATUS "UDEV_RULES_DIR: ${UDEV_RULES_DIR}") message(STATUS "UDEV_VERSION: ${UDEV_VERSION}") message(STATUS "USE_HIDAPI: ${USE_HIDAPI}") +message(STATUS "USE_PCSC: ${USE_PCSC}") message(STATUS "USE_WINHELLO: ${USE_WINHELLO}") message(STATUS "NFC_LINUX: ${NFC_LINUX}") -subdirs(src) +if(BUILD_TESTS) + enable_testing() +endif() + +add_subdirectory(src) + +if(BUILD_TESTS) + add_subdirectory(regress) +endif() if(BUILD_EXAMPLES) - subdirs(examples) + add_subdirectory(examples) endif() if(BUILD_TOOLS) - subdirs(tools) + add_subdirectory(tools) endif() if(BUILD_MANPAGES) - subdirs(man) + add_subdirectory(man) endif() if(NOT WIN32) - if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT FUZZ) - enable_testing() - subdirs(regress) - endif() if(FUZZ) - subdirs(fuzz) + add_subdirectory(fuzz) endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") - subdirs(udev) + add_subdirectory(udev) endif() endif() diff --git a/contrib/libfido2/LICENSE b/contrib/libfido2/LICENSE index 75a03f87e3af..ad0e13358930 100644 --- a/contrib/libfido2/LICENSE +++ b/contrib/libfido2/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2018-2022 Yubico AB. All rights reserved. +Copyright (c) 2018-2023 Yubico AB. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -22,3 +22,5 @@ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +SPDX-License-Identifier: BSD-2-Clause diff --git a/contrib/libfido2/NEWS b/contrib/libfido2/NEWS index a48b685156c1..bf648aabfd92 100644 --- a/contrib/libfido2/NEWS +++ b/contrib/libfido2/NEWS @@ -1,3 +1,44 @@ +* Version 1.13.0 (2023-02-20) + ** Support for linking against OpenSSL on Windows; gh#668. + ** New API calls: + - fido_assert_empty_allow_list; + - fido_cred_empty_exclude_list. + ** fido2-token: fix issue when listing large blobs. + ** Improved support for different fuzzing engines. + +* Version 1.12.0 (2022-09-22) + ** Support for COSE_ES384. + ** Support for hidraw(4) on FreeBSD; gh#597. + ** Improved support for FIDO 2.1 authenticators. + ** New API calls: + - es384_pk_free; + - es384_pk_from_EC_KEY; + - es384_pk_from_EVP_PKEY; + - es384_pk_from_ptr; + - es384_pk_new; + - es384_pk_to_EVP_PKEY; + - fido_cbor_info_certs_len; + - fido_cbor_info_certs_name_ptr; + - fido_cbor_info_certs_value_ptr; + - fido_cbor_info_maxrpid_minpinlen; + - fido_cbor_info_minpinlen; + - fido_cbor_info_new_pin_required; + - fido_cbor_info_rk_remaining; + - fido_cbor_info_uv_attempts; + - fido_cbor_info_uv_modality. + ** Documentation and reliability fixes. + +* Version 1.11.0 (2022-05-03) + ** Experimental PCSC support; enable with -DUSE_PCSC. + ** Improved OpenSSL 3.0 compatibility. + ** Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs. + ** winhello: advertise "uv" instead of "clientPin". + ** winhello: support hmac-secret in fido_dev_get_assert(). + ** New API calls: + - fido_cbor_info_maxlargeblob. + ** Documentation and reliability fixes. + ** Separate build and regress targets. + * Version 1.10.0 (2022-01-17) ** hid_osx: handle devices with paths > 511 bytes; gh#462. ** bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480. diff --git a/contrib/libfido2/README.adoc b/contrib/libfido2/README.adoc index 114cc5eed762..44d559894dac 100644 --- a/contrib/libfido2/README.adoc +++ b/contrib/libfido2/README.adoc @@ -7,7 +7,7 @@ image:https://github.com/yubico/libfido2/workflows/fuzzer/badge.svg["Fuzz Status image:https://oss-fuzz-build-logs.storage.googleapis.com/badges/libfido2.svg["Fuzz Status (oss-fuzz)", link="https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libfido2"] *libfido2* provides library functionality and command-line tools to -communicate with a FIDO device over USB, and to verify attestation and +communicate with a FIDO device over USB or NFC, and to verify attestation and assertion signatures. *libfido2* supports the FIDO U2F (CTAP 1) and FIDO2 (CTAP 2) protocols. @@ -23,8 +23,6 @@ file for the full license text. *libfido2* is known to work on Linux, macOS, Windows, OpenBSD, and FreeBSD. -NFC support is available on Linux and Windows. - === Documentation Documentation is available in troff and HTML formats. An @@ -38,19 +36,29 @@ is also available. * Perl: https://github.com/jacquesg/p5-FIDO-Raw[p5-FIDO-Raw] * Rust: https://github.com/PvdBerg1998/libfido2[libfido2] +=== Releases + +The current release of *libfido2* is 1.13.0. Signed release tarballs are +available at Yubico's +https://developers.yubico.com/libfido2/Releases[release page]. + +=== Dependencies + +*libfido2* depends on https://github.com/pjk/libcbor[libcbor], +https://www.openssl.org[OpenSSL] 1.1 or newer, and https://zlib.net[zlib]. +On Linux, libudev +(part of https://www.freedesktop.org/wiki/Software/systemd[systemd]) is also +required. + === Installation -==== Releases +==== Fedora 35 and 34 -The current release of *libfido2* is 1.10.0. Please consult Yubico's -https://developers.yubico.com/libfido2/Releases[release page] for source -and binary releases. + $ sudo dnf install libfido2 libfido2-devel fido2-tools -==== Ubuntu 20.04 (Focal) +==== Ubuntu 22.04 (Jammy) and 20.04 (Focal) - $ sudo apt install libfido2-1 - $ sudo apt install libfido2-dev - $ sudo apt install libfido2-doc + $ sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools Alternatively, newer versions of *libfido2* are available in Yubico's PPA. Follow the instructions for Ubuntu 18.04 (Bionic) below. @@ -60,13 +68,31 @@ Follow the instructions for Ubuntu 18.04 (Bionic) below. $ sudo apt install software-properties-common $ sudo apt-add-repository ppa:yubico/stable $ sudo apt update - $ sudo apt install libfido2-dev + $ sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools + +On Linux, you may need to add a udev rule to be able to access the FIDO +device. For example, the udev rule may contain the following: + +---- +#udev rule for allowing HID access to Yubico devices for FIDO support. + +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \ + MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050" +---- ==== macOS $ brew install libfido2 -Or from source, on UNIX-like systems: +==== Windows + +Please consult Yubico's +https://developers.yubico.com/libfido2/Releases[release page] for ARM, ARM64, +Win32, and Win64 artefacts. + +=== Building from source + +On UNIX-like systems: $ cmake -B build $ make -C build @@ -74,23 +100,45 @@ Or from source, on UNIX-like systems: Depending on the platform, https://www.freedesktop.org/wiki/Software/pkg-config/[pkg-config] may need to -be installed, or the PKG_CONFIG_PATH environment variable set. - -*libfido2* depends on https://github.com/pjk/libcbor[libcbor], -https://www.openssl.org[OpenSSL] 1.1 or newer, and https://zlib.net[zlib]. -On Linux, libudev -(part of https://www.freedesktop.org/wiki/Software/systemd[systemd]) is also -required. - -For complete, OS-specific installation instructions, please refer to the -`.actions/` (Linux, macOS) and `windows/` directories. - -On Linux, you will need to add a udev rule to be able to access the FIDO -device, or run as root. For example, the udev rule may contain the following: - ----- -#udev rule for allowing HID access to Yubico devices for FIDO support. - -KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \ - MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050" ----- +be installed, or the PKG_CONFIG_PATH environment variable set. For complete, +OS-specific build instructions, please refer to the `.actions/` +(Linux, macOS, BSD) and `windows/` directories. + +=== Build-time Customisation + +*libfido2* supports a number of CMake options. Some of the options require +additional dependencies. Options that are disabled by default are not +officially supported. + +[%autowidth.stretch] +|=== +|*Option* |*Description* |*Default* +| BUILD_EXAMPLES | Build example programs | ON +| BUILD_MANPAGES | Build man pages | ON +| BUILD_SHARED_LIBS | Build a shared library | ON +| BUILD_STATIC_LIBS | Build a static library | ON +| BUILD_TOOLS | Build auxiliary tools | ON +| FUZZ | Enable fuzzing instrumentation | OFF +| NFC_LINUX | Enable netlink NFC support on Linux | ON +| USE_HIDAPI | Use hidapi as the HID backend | OFF +| USE_PCSC | Enable experimental PCSC support | OFF +| USE_WINHELLO | Abstract Windows Hello as a FIDO device | ON +|=== + +The USE_HIDAPI option requires https://github.com/libusb/hidapi[hidapi]. The +USE_PCSC option requires https://github.com/LudovicRousseau/PCSC[pcsc-lite] on +Linux. + +=== Development + +Please use https://github.com/Yubico/libfido2/discussions[GitHub Discussions] +to ask questions and suggest features, and +https://github.com/Yubico/libfido2/pulls[GitHub pull-requests] for code +contributions. + +=== Reporting bugs + +Please use https://github.com/Yubico/libfido2/issues[GitHub Issues] to report +bugs. To report security issues, please contact security@yubico.com. A PGP +public key can be found at +https://www.yubico.com/support/security-advisories/issue-rating-system/. diff --git a/contrib/libfido2/examples/CMakeLists.txt b/contrib/libfido2/examples/CMakeLists.txt index ad3d44faad6b..f013df4e71ec 100644 --- a/contrib/libfido2/examples/CMakeLists.txt +++ b/contrib/libfido2/examples/CMakeLists.txt @@ -1,6 +1,7 @@ # Copyright (c) 2018 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. +# SPDX-License-Identifier: BSD-2-Clause list(APPEND COMPAT_SOURCES ../openbsd-compat/clock_gettime.c @@ -13,17 +14,6 @@ if(WIN32 AND BUILD_SHARED_LIBS AND NOT CYGWIN AND NOT MSYS) list(APPEND COMPAT_SOURCES ../openbsd-compat/posix_win.c) endif() -# set the library to link against -if(BUILD_STATIC_LIBS) - # drop -rdynamic - set(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "") - set(_FIDO2_LIBRARY fido2) -elseif(BUILD_SHARED_LIBS) - set(_FIDO2_LIBRARY fido2_shared) -else() - set(_FIDO2_LIBRARY ${CRYPTO_LIBRARIES} fido2) -endif() - # enable -Wconversion -Wsign-conversion if(NOT MSVC) set_source_files_properties(assert.c cred.c info.c manifest.c reset.c diff --git a/contrib/libfido2/examples/README.adoc b/contrib/libfido2/examples/README.adoc index 44ee52743a0d..d44218c2cf87 100644 --- a/contrib/libfido2/examples/README.adoc +++ b/contrib/libfido2/examples/README.adoc @@ -20,8 +20,7 @@ The following definitions are used in the description below: - <pubkey> - The file system path of a file containing a NIST P-256 public key in - PEM format. + The file system path of a file containing a public key in PEM format. - <blobkey> @@ -48,8 +47,8 @@ The following examples are provided: Configures <pin> as the new PIN of <device>. If [oldpin] is provided, the device's PIN is changed from [oldpin] to <pin>. -- cred [-t ecdsa|rsa|eddsa] [-k pubkey] [-ei cred_id] [-P pin] [-T seconds] - [-b blobkey] [-hruv] <device> +- cred [-t es256|es384|rs256|eddsa] [-k pubkey] [-ei cred_id] [-P pin] + [-T seconds] [-b blobkey] [-hruv] <device> Creates a new credential on <device> and verify that the credential was signed by the authenticator. The device's attestation certificate @@ -66,14 +65,16 @@ The following examples are provided: option -b is specified, the credential's "largeBlob" key is stored in <blobkey>. -- assert [-t ecdsa|rsa|eddsa] [-a cred_id] [-h hmac_secret] [-s hmac_salt] - [-P pin] [-T seconds] [-b blobkey] [-puv] <pubkey> <device> +- assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin] + [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device> Asks <device> for a FIDO2 assertion corresponding to [cred_id], which may be omitted for resident keys. The obtained assertion is verified using <pubkey>. The -p option requests that the user - be present. User verification may be requested through the -v - option. If option -u is specified, the assertion is generated using + be present and checks whether the user presence bit was signed by the + authenticator. The -v option requests user verification and checks + whether the user verification bit was signed by the authenticator. + If option -u is specified, the assertion is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is specified, a FIDO2 hmac-secret is requested from the authenticator, and the contents of <hmac_salt> are used as the salt. If option -h diff --git a/contrib/libfido2/examples/assert.c b/contrib/libfido2/examples/assert.c index 8b0dbd9f6eb2..32ba97b2fca3 100644 --- a/contrib/libfido2/examples/assert.c +++ b/contrib/libfido2/examples/assert.c @@ -1,11 +1,13 @@ /* - * Copyright (c) 2018-2021 Yubico AB. All rights reserved. + * Copyright (c) 2018-2022 Yubico AB. All rights reserved. * Use of this source code is governed by a BSD-style * license that can be found in the LICENSE file. + * SPDX-License-Identifier: BSD-2-Clause */ #include <fido.h> #include <fido/es256.h> +#include <fido/es384.h> #include <fido/rs256.h> #include <fido/eddsa.h> @@ -30,9 +32,9 @@ static const unsigned char cd[32] = { static void usage(void) { - fprintf(stderr, "usage: assert [-t ecdsa|rsa|eddsa] [-a cred_id] " - "[-h hmac_secret] [-s hmac_salt] [-P pin] [-T seconds] " - "[-b blobkey] [-puv] <pubkey> <device>\n"); + fprintf(stderr, "usage: assert [-t es256|es384|rs256|eddsa] " + "[-a cred_id] [-h hmac_secret] [-s hmac_salt] [-P pin] " + "[-T seconds] [-b blobkey] [-puv] <pubkey> <device>\n"); exit(EXIT_FAILURE); } @@ -46,6 +48,7 @@ verify_assert(int type, const unsigned char *authdata_ptr, size_t authdata_len, RSA *rsa = NULL; EVP_PKEY *eddsa = NULL; es256_pk_t *es256_pk = NULL; + es384_pk_t *es384_pk = NULL; rs256_pk_t *rs256_pk = NULL; eddsa_pk_t *eddsa_pk = NULL; void *pk; @@ -67,6 +70,21 @@ verify_assert(int type, const unsigned char *authdata_ptr, size_t authdata_len, EC_KEY_free(ec); ec = NULL; + break; + case COSE_ES384: + if ((ec = read_ec_pubkey(key)) == NULL) + errx(1, "read_ec_pubkey"); + + if ((es384_pk = es384_pk_new()) == NULL) + errx(1, "es384_pk_new"); + + if (es384_pk_from_EC_KEY(es384_pk, ec) != FIDO_OK) + errx(1, "es384_pk_from_EC_KEY"); + + pk = es384_pk; + EC_KEY_free(ec); + ec = NULL; + break; case COSE_RS256: if ((rsa = read_rsa_pubkey(key)) == NULL) @@ -147,6 +165,7 @@ verify_assert(int type, const unsigned char *authdata_ptr, size_t authdata_len, errx(1, "fido_assert_verify: %s (0x%x)", fido_strerr(r), r); es256_pk_free(&es256_pk); + es384_pk_free(&es384_pk); rs256_pk_free(&rs256_pk); eddsa_pk_free(&eddsa_pk); @@ -219,9 +238,11 @@ main(int argc, char **argv) body = NULL; break; case 't': - if (strcmp(optarg, "ecdsa") == 0) + if (strcmp(optarg, "es256") == 0) type = COSE_ES256; - else if (strcmp(optarg, "rsa") == 0) + else if (strcmp(optarg, "es384") == 0) + type = COSE_ES384; + else if (strcmp(optarg, "rs256") == 0) type = COSE_RS256; else if (strcmp(optarg, "eddsa") == 0) type = COSE_EDDSA; diff --git a/contrib/libfido2/examples/cred.c b/contrib/libfido2/examples/cred.c index 4a9d8bf4b25a..576900d97786 100644 --- a/contrib/libfido2/examples/cred.c +++ b/contrib/libfido2/examples/cred.c @@ -1,7 +1,8 @@ /* - * Copyright (c) 2018-2021 Yubico AB. All rights reserved. + * Copyright (c) 2018-2022 Yubico AB. All rights reserved. * Use of this source code is governed by a BSD-style * license that can be found in the LICENSE file. + * SPDX-License-Identifier: BSD-2-Clause */ #include <errno.h> @@ -34,7 +35,7 @@ static const unsigned char user_id[32] = { static void usage(void) { - fprintf(stderr, "usage: cred [-t ecdsa|rsa|eddsa] [-k pubkey] " + fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] " "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-hruv] " "<device>\n"); exit(EXIT_FAILURE); @@ -107,15 +108,23 @@ out: if (key_out != NULL) { /* extract the credential pubkey */ if (type == COSE_ES256) { - if (write_ec_pubkey(key_out, fido_cred_pubkey_ptr(cred), + if (write_es256_pubkey(key_out, + fido_cred_pubkey_ptr(cred), fido_cred_pubkey_len(cred)) < 0) - errx(1, "write_ec_pubkey"); + errx(1, "write_es256_pubkey"); + } else if (type == COSE_ES384) { + if (write_es384_pubkey(key_out, + fido_cred_pubkey_ptr(cred), + fido_cred_pubkey_len(cred)) < 0) + errx(1, "write_es384_pubkey"); } else if (type == COSE_RS256) { - if (write_rsa_pubkey(key_out, fido_cred_pubkey_ptr(cred), + if (write_rs256_pubkey(key_out, + fido_cred_pubkey_ptr(cred), fido_cred_pubkey_len(cred)) < 0) - errx(1, "write_rsa_pubkey"); + errx(1, "write_rs256_pubkey"); } else if (type == COSE_EDDSA) { *** 14695 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202309221103.38MB3kMc065344>