ib. -git clone --depth=1 https://github.com/madler/zlib -b v1.3 +git clone --depth=1 https://github.com/madler/zlib -b v1.3.1 cd zlib make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \ diff --git a/contrib/libfido2/.actions/build-linux-openssl3-clang b/contrib/libfido2/.actions/build-linux-openssl3-clang index 2383e51ad8f5..4b805793bf39 100755 --- a/contrib/libfido2/.actions/build-linux-openssl3-clang +++ b/contrib/libfido2/.actions/build-linux-openssl3-clang @@ -1,6 +1,6 @@ #!/bin/sh -eux -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -12,8 +12,8 @@ FAKEROOT="$(mktemp -d)" # Check exports. (cd src && ./diff_exports.sh) -# Build and install OpenSSL 3.0.12. -git clone --branch openssl-3.0.12 \ +# Build and install OpenSSL 3.0.15. +git clone --branch openssl-3.0.15 \ --depth=1 https://github.com/openssl/openssl cd openssl ./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \ diff --git a/contrib/libfido2/.actions/build-linux-openssl3-gcc b/contrib/libfido2/.actions/build-linux-openssl3-gcc index 344fc12bce8c..91ccd48ffe28 100755 --- a/contrib/libfido2/.actions/build-linux-openssl3-gcc +++ b/contrib/libfido2/.actions/build-linux-openssl3-gcc @@ -1,6 +1,6 @@ #!/bin/sh -eux -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -8,8 +8,8 @@ ${CC} --version FAKEROOT="$(mktemp -d)" -# Build and install OpenSSL 3.0.12. -git clone --branch openssl-3.0.12 \ +# Build and install OpenSSL 3.0.15. +git clone --branch openssl-3.0.15 \ --depth=1 https://github.com/openssl/openssl cd openssl ./Configure linux-x86_64 --prefix="${FAKEROOT}" \ diff --git a/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc index 3bbb141dad0d..a9ba2e2b56d8 100755 --- a/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc +++ b/contrib/libfido2/.actions/build-linux-openssl3-i686-w64-mingw32-gcc @@ -1,6 +1,6 @@ #!/bin/sh -eux -# Copyright (c) 2022-2023 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) EOF # Build and install libcbor. -git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1 +git clone --depth=1 https://github.com/pjk/libcbor -b v0.12.0 cd libcbor mkdir build (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \ @@ -32,8 +32,8 @@ make -j"$(nproc)" -C build sudo make -C build install cd .. -# Build and install OpenSSL 3.0.11. -git clone --branch openssl-3.0.12 \ +# Build and install OpenSSL 3.0.15. +git clone --branch openssl-3.0.15 \ --depth=1 https://github.com/openssl/openssl cd openssl ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \ @@ -43,7 +43,7 @@ sudo make install_sw cd .. # Build and install zlib. -git clone --depth=1 https://github.com/madler/zlib -b v1.3 +git clone --depth=1 https://github.com/madler/zlib -b v1.3.1 cd zlib make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \ diff --git a/contrib/libfido2/.actions/build-osx-clang b/contrib/libfido2/.actions/build-osx-clang index b4beea221315..552e99f83e58 100755 --- a/contrib/libfido2/.actions/build-osx-clang +++ b/contrib/libfido2/.actions/build-osx-clang @@ -5,7 +5,8 @@ # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause -export PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig" +PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig" +export PKG_CONFIG_PATH SCAN="$(brew --prefix llvm)/bin/scan-build" # Build, analyze, and install libfido2. diff --git a/contrib/libfido2/.actions/fuzz-linux b/contrib/libfido2/.actions/fuzz-linux index 3f57ac40ff4b..e404c8e7b4c6 100755 --- a/contrib/libfido2/.actions/fuzz-linux +++ b/contrib/libfido2/.actions/fuzz-linux @@ -1,18 +1,18 @@ #!/bin/sh -eux -# Copyright (c) 2020-2022 Yubico AB. All rights reserved. +# Copyright (c) 2020-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause LIBCBOR_URL="https://github.com/pjk/libcbor" -LIBCBOR_TAG="v0.10.2" +LIBCBOR_TAG="v0.12.0" LIBCBOR_ASAN="address alignment bounds" LIBCBOR_MSAN="memory" OPENSSL_URL="https://github.com/openssl/openssl" -OPENSSL_TAG="openssl-3.0.12" +OPENSSL_TAG="openssl-3.0.15" ZLIB_URL="https://github.com/madler/zlib" -ZLIB_TAG="v1.3" +ZLIB_TAG="v1.3.1" ZLIB_ASAN="address alignment bounds undefined" ZLIB_MSAN="memory" FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak" @@ -63,6 +63,7 @@ git clone --depth=1 "${OPENSSL_URL}" -b "${OPENSSL_TAG}" cd openssl ./Configure linux-x86_64-clang "enable-$1" --prefix="${FAKEROOT}" \ --openssldir="${FAKEROOT}/openssl" --libdir=lib +make -j"$(nproc)" build_sw make install_sw cd - @@ -71,7 +72,7 @@ git clone --depth=1 "${ZLIB_URL}" -b "${ZLIB_TAG}" cd zlib CFLAGS="${ZLIB_CFLAGS}" LDFLAGS="${ZLIB_CFLAGS}" ./configure \ --prefix="${FAKEROOT}" -make install +make -j"$(nproc)" install cd - # libfido2 @@ -87,7 +88,7 @@ mkdir corpus curl -s https://storage.googleapis.com/yubico-libfido2/corpus.tgz | tar -C corpus -zxf - export UBSAN_OPTIONS ASAN_OPTIONS MSAN_OPTIONS -for f in assert bio cred credman hid largeblob mgmt netlink pcsc; do +for f in assert attobj bio cred credman hid largeblob mgmt netlink pcsc; do build/fuzz/fuzz_${f} -use_value_profile=1 -reload=30 -print_pcs=1 \ -print_funcs=30 -timeout=10 -runs=1 corpus/fuzz_${f} done diff --git a/contrib/libfido2/.actions/run-shellcheck b/contrib/libfido2/.actions/run-shellcheck new file mode 100755 index 000000000000..063a5e0d1f1a --- /dev/null +++ b/contrib/libfido2/.actions/run-shellcheck @@ -0,0 +1,25 @@ +#!/bin/sh -u + +# Copyright (c) 2024 Google LLC. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. +# SPDX-License-Identifier: BSD-2-Clause + +LIST="$(mktemp)" +trap 'rm -- $LIST' EXIT + +git ls-files | while read -r file; do + if head -n1 "$file" | grep -q '^#!.*sh'; then + if ! shellcheck -Cnever --norc "$file"; then + echo "$file" >> "$LIST" + fi + fi +done + +[ -s "$LIST" ] && { + echo "The following files contain errors:" + cat "$LIST" + exit 1 +} 1>&2 + +exit 0 diff --git a/contrib/libfido2/.github/workflows/alpine_builds.yml b/contrib/libfido2/.github/workflows/alpine_builds.yml index c6d826f39835..874f7104539f 100644 --- a/contrib/libfido2/.github/workflows/alpine_builds.yml +++ b/contrib/libfido2/.github/workflows/alpine_builds.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022-2023 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -16,7 +16,7 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 container: alpine:latest strategy: fail-fast: false diff --git a/contrib/libfido2/.github/workflows/bsd_builds.yml b/contrib/libfido2/.github/workflows/bsd_builds.yml index 366ea2141aca..a4dcf0073251 100644 --- a/contrib/libfido2/.github/workflows/bsd_builds.yml +++ b/contrib/libfido2/.github/workflows/bsd_builds.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -14,11 +14,13 @@ on: jobs: build: if: github.repository == 'Yubico/libfido2' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: - image: [freebsd/13.x, openbsd/7.2] + include: + - { image: freebsd/14.x } + - { image: openbsd/7.6, llvm_version: 16 } steps: - uses: actions/checkout@v4 - name: dependencies @@ -27,6 +29,7 @@ jobs: sudo apt install -q -y curl jq - name: build env: + LLVM_VERSION: ${{ matrix.llvm_version }} IMAGE: ${{ matrix.image }} SOURCEHUT_TOKEN: ${{ secrets.SOURCEHUT_TOKEN }} run: ./.actions/build-bsd diff --git a/contrib/libfido2/.github/workflows/cifuzz_oss.yml b/contrib/libfido2/.github/workflows/cifuzz_oss.yml index 556d5ad36f7c..7d621c644786 100644 --- a/contrib/libfido2/.github/workflows/cifuzz_oss.yml +++ b/contrib/libfido2/.github/workflows/cifuzz_oss.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -17,7 +17,7 @@ on: jobs: fuzzing: if: github.repository == 'Yubico/libfido2' - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: @@ -39,7 +39,7 @@ jobs: fuzz-seconds: 600 dry-run: false - name: upload crash - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: failure() with: name: ${{ matrix.sanitizer }}-artifacts diff --git a/contrib/libfido2/.github/workflows/codeql-analysis.yml b/contrib/libfido2/.github/workflows/codeql-analysis.yml index a3a8d54d2daa..486dd900e5bc 100644 --- a/contrib/libfido2/.github/workflows/codeql-analysis.yml +++ b/contrib/libfido2/.github/workflows/codeql-analysis.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -22,14 +22,14 @@ permissions: jobs: codeql-build: if: github.repository == 'Yubico/libfido2' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: checkout uses: actions/checkout@v4 with: fetch-depth: 2 - name: init codeql - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 - name: build env: CC: gcc @@ -39,4 +39,4 @@ jobs: libpcsclite-dev ./.actions/build-linux-gcc - name: perform codeql analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/contrib/libfido2/.github/workflows/linux_builds.yml b/contrib/libfido2/.github/workflows/linux_builds.yml index ec911cb92d92..a1e007daf404 100644 --- a/contrib/libfido2/.github/workflows/linux_builds.yml +++ b/contrib/libfido2/.github/workflows/linux_builds.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -21,17 +21,16 @@ jobs: fail-fast: false matrix: include: - - { os: ubuntu-20.04, cc: gcc-8 } - - { os: ubuntu-22.04, cc: gcc-9 } - { os: ubuntu-22.04, cc: gcc-10 } - { os: ubuntu-22.04, cc: gcc-11 } - - { os: ubuntu-22.04, cc: gcc-12 } - - { os: ubuntu-22.04, cc: clang-13 } - - { os: ubuntu-22.04, cc: clang-14 } - - { os: ubuntu-22.04, cc: clang-15 } + - { os: ubuntu-24.04, cc: gcc-12 } + - { os: ubuntu-24.04, cc: gcc-13 } - { os: ubuntu-22.04, cc: clang-16 } - - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-9 } + - { os: ubuntu-22.04, cc: clang-17 } + - { os: ubuntu-24.04, cc: clang-18 } + - { os: ubuntu-24.04, cc: clang-19 } - { os: ubuntu-22.04, cc: i686-w64-mingw32-gcc-10 } + - { os: ubuntu-24.04, cc: i686-w64-mingw32-gcc-11 } steps: - uses: actions/checkout@v4 - name: dependencies diff --git a/contrib/libfido2/.github/workflows/linux_fuzz.yml b/contrib/libfido2/.github/workflows/linux_fuzz.yml index 296c0d9fab23..ea2d3833dca2 100644 --- a/contrib/libfido2/.github/workflows/linux_fuzz.yml +++ b/contrib/libfido2/.github/workflows/linux_fuzz.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -20,8 +20,8 @@ jobs: strategy: fail-fast: false matrix: - os: [ ubuntu-22.04 ] - cc: [ clang-16 ] + os: [ ubuntu-24.04 ] + cc: [ clang-19 ] sanitizer: [ asan, msan ] steps: - uses: actions/checkout@v4 diff --git a/contrib/libfido2/.github/workflows/macos_builds.yml b/contrib/libfido2/.github/workflows/macos_builds.yml index 7d84a750ac37..90466550ee69 100644 --- a/contrib/libfido2/.github/workflows/macos_builds.yml +++ b/contrib/libfido2/.github/workflows/macos_builds.yml @@ -20,11 +20,13 @@ jobs: strategy: fail-fast: false matrix: - os: [ macos-13, macos-12 ] + os: [ macos-15, macos-14, macos-13 ] cc: [ clang ] steps: - uses: actions/checkout@v4 - name: dependencies + env: + HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: 1 run: brew install libcbor llvm mandoc openssl@3.0 pkg-config zlib - name: build env: diff --git a/contrib/libfido2/.github/workflows/openssl3.yml b/contrib/libfido2/.github/workflows/openssl3.yml index ee70c087d285..b51685dff102 100644 --- a/contrib/libfido2/.github/workflows/openssl3.yml +++ b/contrib/libfido2/.github/workflows/openssl3.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Yubico AB. All rights reserved. +# Copyright (c) 2022-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -21,12 +21,12 @@ jobs: fail-fast: false matrix: include: - - os: ubuntu-22.04 - cc: gcc-11 - - os: ubuntu-22.04 - cc: clang-16 - - os: ubuntu-22.04 - cc: i686-w64-mingw32-gcc-10 + - os: ubuntu-24.04 + cc: gcc-13 + - os: ubuntu-24.04 + cc: clang-19 + - os: ubuntu-24.04 + cc: i686-w64-mingw32-gcc-11 steps: - uses: actions/checkout@v4 - name: dependencies diff --git a/contrib/libfido2/.github/workflows/shellcheck.yml b/contrib/libfido2/.github/workflows/shellcheck.yml new file mode 100644 index 000000000000..cdda760ae2b6 --- /dev/null +++ b/contrib/libfido2/.github/workflows/shellcheck.yml @@ -0,0 +1,27 @@ +# Copyright (c) 2024 Google LLC. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. +# SPDX-License-Identifier: BSD-2-Clause + +name: shellcheck + +on: + pull_request: + branches: + - main + push: + branches: + - main + - '*-ci' + +jobs: + build: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - name: dependencies + run: | + sudo apt -q update + sudo apt install -q -y shellcheck + - name: build + run: ./.actions/run-shellcheck diff --git a/contrib/libfido2/CMakeLists.txt b/contrib/libfido2/CMakeLists.txt index c4f7b1b7b51e..2630e263ecd2 100644 --- a/contrib/libfido2/CMakeLists.txt +++ b/contrib/libfido2/CMakeLists.txt @@ -28,8 +28,10 @@ endif() set(CMAKE_POSITION_INDEPENDENT_CODE ON) set(CMAKE_COLOR_MAKEFILE OFF) set(CMAKE_VERBOSE_MAKEFILE ON) +set(CMAKE_EXPORT_COMPILE_COMMANDS ON) + set(FIDO_MAJOR "1") -set(FIDO_MINOR "14") +set(FIDO_MINOR "16") set(FIDO_PATCH "0") set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) @@ -190,6 +192,9 @@ if(MSVC) if(NOT CRYPTO_LIBRARIES) set(CRYPTO_LIBRARIES crypto) endif() + if(NOT CRYPTO_DLL) + set(CRYPTO_DLL crypto) + endif() set(MSVC_DISABLED_WARNINGS_LIST "C4152" # nonstandard extension used: function/data pointer @@ -435,6 +440,9 @@ message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}") if(BUILD_TESTS) message(STATUS "CRYPTO_BIN_DIRS: ${CRYPTO_BIN_DIRS}") endif() +if(MSVC) + message(STATUS "CRYPTO_DLL: ${CRYPTO_DLL}") +endif() message(STATUS "CRYPTO_VERSION: ${CRYPTO_VERSION}") message(STATUS "FIDO_VERSION: ${FIDO_VERSION}") message(STATUS "FUZZ: ${FUZZ}") @@ -484,7 +492,7 @@ endif() if(BUILD_TOOLS) add_subdirectory(tools) endif() -if(BUILD_MANPAGES) +if(BUILD_MANPAGES AND NOT MSVC) add_subdirectory(man) endif() diff --git a/contrib/libfido2/LICENSE b/contrib/libfido2/LICENSE index ad0e13358930..bfafcbe13129 100644 --- a/contrib/libfido2/LICENSE +++ b/contrib/libfido2/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2018-2023 Yubico AB. All rights reserved. +Copyright (c) 2018-2024 Yubico AB. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are diff --git a/contrib/libfido2/NEWS b/contrib/libfido2/NEWS index 58387ffd72bf..9f7c1563ba87 100644 --- a/contrib/libfido2/NEWS +++ b/contrib/libfido2/NEWS @@ -1,12 +1,34 @@ +* Version 1.16.0 (2025-05-06) + ** Added support for enterprise attestation. + ** Improved handling of invalid key handles in U2F key lookup; gh#819. + ** Fixed issue where storing small CTAP 2.1 largeBlobs failed; gh#826. + ** Fixed APDU chaining issues for certain authenticators; gh#818, gh#855. + ** Improved documentation and examples. + ** New API calls: + - fido_cred_entattest; + - fido_cred_set_entattest. + +* Version 1.15.0 (2024-06-13) + ** 1.15.0 will be the last release to support OpenSSL 1.1. + ** bio, credman: improved CTAP 2.1 support. + ** hid_osx: fix issue where fido_hid_read() may block unnecessarily; gh#757. + ** fido2-token -I: print maxcredbloblen. + ** hid_linux: improved support for uhid devices. + ** New API calls: + - fido_cred_set_attobj; + - fido_cred_x5c_list_count; + - fido_cred_x5c_list_len; + - fido_cred_x5c_list_ptr. + * Version 1.14.0 (2023-11-13) ** fido2-cred -M, fido2-token -G: support raw client data via -w flag. ** winhello: support U2F AppID extension for assertions. ** winhello: fix restrictive parsing of the hmac-secret on assertions. ** winhello: translate NTE_USER_CANCELLED to FIDO_ERR_OPERATION_DENIED; gh#685. ** New API calls: - ** fido_assert_authdata_raw_len; - ** fido_assert_authdata_raw_ptr; - ** fido_assert_set_winhello_appid. + - fido_assert_authdata_raw_len; + - fido_assert_authdata_raw_ptr; + - fido_assert_set_winhello_appid. * Version 1.13.0 (2023-02-20) ** Support for linking against OpenSSL on Windows; gh#668. diff --git a/contrib/libfido2/README.adoc b/contrib/libfido2/README.adoc index fb6f3d3eb004..38e882598ab3 100644 --- a/contrib/libfido2/README.adoc +++ b/contrib/libfido2/README.adoc @@ -38,7 +38,7 @@ is also available. === Releases -The current release of *libfido2* is 1.14.0. Signed release tarballs are +The current release of *libfido2* is 1.16.0. Signed release tarballs are available at Yubico's https://developers.yubico.com/libfido2/Releases[release page]. @@ -52,11 +52,11 @@ required. === Installation -==== Fedora 35 and 34 +==== Fedora 34 and later $ sudo dnf install libfido2 libfido2-devel fido2-tools -==== Ubuntu 22.04 (Jammy) and 20.04 (Focal) +==== Ubuntu 20.04 (Focal) and later $ sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools diff --git a/contrib/libfido2/SECURITY.md b/contrib/libfido2/SECURITY.md index e12a48a847ba..8071bc9a460a 100644 --- a/contrib/libfido2/SECURITY.md +++ b/contrib/libfido2/SECURITY.md @@ -2,4 +2,4 @@ To report security issues in libfido2, please contact security@yubico.com. A PGP public key can be found at -https://www.yubico.com/support/security-advisories/issue-rating-system/. +https://www.yubico.com/support/issue-rating-system/. diff --git a/contrib/libfido2/examples/README.adoc b/contrib/libfido2/examples/README.adoc index 6151b70bd91e..1249366f3e0f 100644 --- a/contrib/libfido2/examples/README.adoc +++ b/contrib/libfido2/examples/README.adoc @@ -64,7 +64,8 @@ The following examples are provided: The -T option may be used to enforce a timeout of . If the option -b is specified, the credential's "largeBlob" key is stored in . If the option -c is specified the the generated credential - will be bound by the specified protection policy. + will be bound by the specified protection policy. If the option -a is + specified, enterprise attestation will be requested. - assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin] [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] diff --git a/contrib/libfido2/examples/cred.c b/contrib/libfido2/examples/cred.c index 5a2a27fd7771..4fb07868b4e7 100644 --- a/contrib/libfido2/examples/cred.c +++ b/contrib/libfido2/examples/cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018-2023 Yubico AB. All rights reserved. + * Copyright (c) 2018-2024 Yubico AB. All rights reserved. * Use of this source code is governed by a BSD-style * license that can be found in the LICENSE file. * SPDX-License-Identifier: BSD-2-Clause @@ -36,7 +36,8 @@ static void usage(void) { fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] " - "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] " + "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] " + "[-a mode] [-hruv] " "\n"); exit(EXIT_FAILURE); } @@ -106,9 +107,13 @@ verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr, if (r != FIDO_OK) errx(1, "fido_cred_set_attstmt: %s (0x%x)", fido_strerr(r), r); - r = fido_cred_verify(cred); - if (r != FIDO_OK) - errx(1, "fido_cred_verify: %s (0x%x)", fido_strerr(r), r); + if (fido_cred_x5c_ptr(cred) == NULL) { + if ((r = fido_cred_verify_self(cred)) != FIDO_OK) + errx(1, "fido_cred_verify_self: %s (0x%x)", fido_strerr(r), r); + } else { + if ((r = fido_cred_verify(cred)) != FIDO_OK) + errx(1, "fido_cred_verify: %s (0x%x)", fido_strerr(r), r); + } out: if (key_out != NULL) { @@ -166,11 +171,12 @@ main(int argc, char **argv) int ch; int r; long long cred_protect = 0; + long long ea = 0; if ((cred = fido_cred_new()) == NULL) errx(1, "fido_cred_new"); - while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uvc:")) != -1) { + while ((ch = getopt(argc, argv, "P:T:a:b:e:hi:k:rt:uvc:")) != -1) { switch (ch) { case 'P': pin = optarg; @@ -182,6 +188,12 @@ main(int argc, char **argv) errx(1, "-T: %s must be in (0,30]", optarg); ms *= 1000; /* seconds to milliseconds */ break; + case 'a': + if (base10(optarg, &ea) < 0) + errx(1, "base10: %s", optarg); + if (ea <= 0 || ea > 2) + errx(1, "-a: %s must be in (0,2]", optarg); + break; case 'b': ext |= FIDO_EXT_LARGEBLOB_KEY; blobkey_out = optarg; @@ -203,7 +215,7 @@ main(int argc, char **argv) if (base10(optarg, &cred_protect) < 0) errx(1, "base10: %s", optarg); if (cred_protect <= 0 || cred_protect > 3) - errx(1, "-c: %s must be in (1,3)", optarg); + errx(1, "-c: %s must be in (0,3]", optarg); ext |= FIDO_EXT_CRED_PROTECT; break; case 'i': @@ -293,6 +305,9 @@ main(int argc, char **argv) if (cred_protect != 0 && (r = fido_cred_set_prot(cred, (int)cred_protect)) != FIDO_OK) errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r); + + if (ea != 0 && (r = fido_cred_set_entattest(cred, (int)ea)) != FIDO_OK) + errx(1, "fido_cred_set_entattest: %s (0x%x)", fido_strerr(r), r); /* timeout */ if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK) diff --git a/contrib/libfido2/fuzz/CMakeLists.txt b/contrib/libfido2/fuzz/CMakeLists.txt index cc30baae88f2..0bf4bfbf05a5 100644 --- a/contrib/libfido2/fuzz/CMakeLists.txt +++ b/contrib/libfido2/fuzz/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2019-2023 Yubico AB. All rights reserved. +# Copyright (c) 2019-2024 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -18,6 +18,10 @@ set(FUZZ_LINKER_LANGUAGE "C" CACHE STRING "Linker language for fuzz harnesses") mark_as_advanced(FUZZ_LINKER_LANGUAGE) enable_language(${FUZZ_LINKER_LANGUAGE}) +if(NOT FUZZ_LDFLAGS) + message(FATAL_ERROR "Please define FUZZ_LDFLAGS") +endif() + # fuzz_cred add_executable(fuzz_cred fuzz_cred.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) set_target_properties(fuzz_cred PROPERTIES @@ -80,3 +84,10 @@ set_target_properties(fuzz_pcsc PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS} LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_pcsc fido2_shared) + +# fuzz_attobj +add_executable(fuzz_attobj fuzz_attobj.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) +set_target_properties(fuzz_attobj PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) +target_link_libraries(fuzz_attobj fido2_shared) diff --git a/contrib/libfido2/fuzz/Dockerfile b/contrib/libfido2/fuzz/Dockerfile index 7b26e6ec3b19..1ab14c33da75 100644 --- a/contrib/libfido2/fuzz/Dockerfile +++ b/contrib/libfido2/fuzz/Dockerfile @@ -10,7 +10,7 @@ RUN apk -q update RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev RUN apk add sudo tar zlib-dev -RUN git clone --branch v0.10.2 --depth=1 https://github.com/PJK/libcbor +RUN git clone --branch v0.12.0 --depth=1 https://github.com/PJK/libcbor RUN git clone --depth=1 https://github.com/yubico/libfido2 WORKDIR /libfido2 RUN ./fuzz/build-coverage /libcbor /libfido2 diff --git a/contrib/libfido2/fuzz/Makefile b/contrib/libfido2/fuzz/Makefile index 55a506bc8312..a7ac24c0da58 100644 --- a/contrib/libfido2/fuzz/Makefile +++ b/contrib/libfido2/fuzz/Makefile @@ -3,12 +3,12 @@ # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause -IMAGE := libfido2-coverage:1.14.0 +IMAGE := libfido2-coverage:1.16.0 RUNNER := libfido2-runner PROFDATA := llvm-profdata COV := llvm-cov -TARGETS := fuzz_assert fuzz_bio fuzz_cred fuzz_credman fuzz_hid \ - fuzz_largeblob fuzz_netlink fuzz_mgmt fuzz_pcsc +TARGETS := fuzz_assert fuzz_attobj fuzz_bio fuzz_cred fuzz_credman \ + fuzz_hid fuzz_largeblob fuzz_netlink fuzz_mgmt fuzz_pcsc CORPORA := $(foreach f,${TARGETS},${f}/corpus) MINIFY := $(foreach f,${TARGETS},/minify/${f}/corpus) REMOTE := gs://libfido2-corpus.clusterfuzz-external.appspot.com diff --git a/contrib/libfido2/fuzz/export.gnu b/contrib/libfido2/fuzz/export.gnu index bc25dd66cba7..62dfda926944 100644 --- a/contrib/libfido2/fuzz/export.gnu +++ b/contrib/libfido2/fuzz/export.gnu @@ -127,6 +127,7 @@ fido_cred_clientdata_hash_len; fido_cred_clientdata_hash_ptr; fido_cred_display_name; + fido_cred_entattest; fido_cred_exclude; fido_cred_flags; fido_cred_largeblob_key_len; @@ -166,11 +167,13 @@ fido_cred_rp_id; fido_cred_rp_name; fido_cred_set_attstmt; + fido_cred_set_attobj; fido_cred_set_authdata; fido_cred_set_authdata_raw; fido_cred_set_blob; fido_cred_set_clientdata; fido_cred_set_clientdata_hash; + fido_cred_set_entattest; fido_cred_set_extensions; fido_cred_set_fmt; fido_cred_set_id; @@ -193,6 +196,9 @@ fido_cred_verify; fido_cred_verify_self; fido_cred_x5c_len; + fido_cred_x5c_list_count; + fido_cred_x5c_list_len; + fido_cred_x5c_list_ptr; fido_cred_x5c_ptr; fido_dev_build; fido_dev_cancel; diff --git a/contrib/libfido2/fuzz/functions.txt b/contrib/libfido2/fuzz/functions.txt index 4ad5a0c83f5c..5dab11c62d50 100644 --- a/contrib/libfido2/fuzz/functions.txt +++ b/contrib/libfido2/fuzz/functions.txt @@ -1,31 +1,31 @@ File '/libfido2/src/aes256.c': Name Regions Miss Cover Lines Miss Cover --------------------------------------------------------------------------------------------------------- +------------------------------------------------------------------------------ aes256_cbc_enc 4 0 100.00% 4 0 100.00% aes256_cbc_dec 4 0 100.00% 4 0 100.00% aes256_gcm_enc 1 0 100.00% 3 0 100.00% aes256_gcm_dec 1 0 100.00% 3 0 100.00% -aes256.c:aes256_cbc_fips 26 1 96.15% 42 4 90.48% -aes256.c:aes256_cbc 29 1 96.55% 36 3 91.67% +aes256.c:aes256_cbc_fips 29 1 96.55% 42 4 90.48% +aes256.c:aes256_cbc 37 1 97.30% 36 3 91.67% aes256.c:aes256_cbc_proto1 1 0 100.00% 5 0 100.00% -aes256.c:aes256_gcm 52 1 98.08% 60 4 93.33% --------------------------------------------------------------------------------------------------------- -TOTAL 118 3 97.46% 157 11 92.99% +aes256.c:aes256_gcm 73 3 95.89% 64 10 84.38% +------------------------------------------------------------------------------ +TOTAL 150 5 96.67% 161 17 89.44% File '/libfido2/src/assert.c': Name Regions Miss Cover Lines Miss Cover ------------------------------------------------------------------------------------------------------------------ -fido_dev_get_assert 40 0 100.00% 35 0 100.00% +--------------------------------------------------------------------------------------- +fido_dev_get_assert 50 0 100.00% 35 0 100.00% fido_check_flags 13 0 100.00% 15 0 100.00% -fido_get_signed_hash 20 1 95.00% 34 3 91.18% -fido_assert_verify 50 4 92.00% 70 7 90.00% +fido_get_signed_hash 27 1 96.30% 34 3 91.18% +fido_assert_verify 59 4 93.22% 70 7 90.00% fido_assert_set_clientdata 12 12 0.00% 11 11 0.00% fido_assert_set_clientdata_hash 8 0 100.00% 6 0 100.00% fido_assert_set_hmac_salt 10 0 100.00% 6 0 100.00% fido_assert_set_hmac_secret 12 12 0.00% 7 7 0.00% -fido_assert_set_rp 12 0 100.00% 11 0 100.00% +fido_assert_set_rp 16 0 100.00% 11 0 100.00% fido_assert_set_winhello_appid 2 2 0.00% 5 5 0.00% -fido_assert_allow_cred 13 2 84.62% 22 3 86.36% +fido_assert_allow_cred 16 2 87.50% 22 3 86.36% fido_assert_empty_allow_list 2 0 100.00% 5 0 100.00% fido_assert_set_extensions 14 0 100.00% 10 0 100.00% fido_assert_set_options 8 8 0.00% 5 5 0.00% @@ -34,71 +34,71 @@ fido_assert_set_uv 2 0 100.00% 4 0 fido_assert_clientdata_hash_ptr 1 0 100.00% 3 0 100.00% fido_assert_clientdata_hash_len 1 0 100.00% 3 0 100.00% *** 6320 LINES SKIPPED ***