Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libfido2 for openSUSE:Factory checked in at 2023-02-25 19:54:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libfido2 (Old) and /work/SRC/openSUSE:Factory/.libfido2.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libfido2" Sat Feb 25 19:54:48 2023 rev:13 rq:1067595 version:1.13.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libfido2/libfido2.changes 2022-10-13 15:39:52.970460116 +0200 +++ /work/SRC/openSUSE:Factory/.libfido2.new.31432/libfido2.changes 2023-02-25 19:54:59.419221698 +0100 @@ -1,0 +2,11 @@ +Fri Feb 24 10:08:21 UTC 2023 - Martin Sirringhaus <[email protected]> + +- Version 1.13.0 (2023-02-20) + * Support for linking against OpenSSL on Windows; gh#668. + * New API calls: + + fido_assert_empty_allow_list; + + fido_cred_empty_exclude_list. + * fido2-token: fix issue when listing large blobs. + * Improved support for different fuzzing engines. + +------------------------------------------------------------------- Old: ---- libfido2-1.12.0.tar.gz libfido2-1.12.0.tar.gz.sig New: ---- libfido2-1.13.0.tar.gz libfido2-1.13.0.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libfido2.spec ++++++ --- /var/tmp/diff_new_pack.RK61Cy/_old 2023-02-25 19:55:00.355227466 +0100 +++ /var/tmp/diff_new_pack.RK61Cy/_new 2023-02-25 19:55:00.371227565 +0100 @@ -1,7 +1,7 @@ # # spec file for package libfido2 # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define sover 1 Name: libfido2 -Version: 1.12.0 +Version: 1.13.0 Release: 0 Summary: FIDO U2F and FIDO 2.0 protocols License: BSD-2-Clause ++++++ libfido2-1.12.0.tar.gz -> libfido2-1.13.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/CMakeLists.txt new/libfido2-1.13.0/CMakeLists.txt --- old/libfido2-1.12.0/CMakeLists.txt 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/CMakeLists.txt 2023-02-20 09:21:28.000000000 +0100 @@ -29,17 +29,17 @@ set(CMAKE_COLOR_MAKEFILE OFF) set(CMAKE_VERBOSE_MAKEFILE ON) set(FIDO_MAJOR "1") -set(FIDO_MINOR "12") +set(FIDO_MINOR "13") set(FIDO_PATCH "0") set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) +option(BUILD_TESTS "Build the regress tests" ON) option(BUILD_EXAMPLES "Build example programs" ON) option(BUILD_MANPAGES "Build man pages" ON) option(BUILD_SHARED_LIBS "Build a shared library" ON) option(BUILD_STATIC_LIBS "Build a static library" ON) option(BUILD_TOOLS "Build tool programs" ON) option(FUZZ "Enable fuzzing instrumentation" OFF) -option(LIBFUZZER "Build libfuzzer harnesses" OFF) option(USE_HIDAPI "Use hidapi as the HID backend" OFF) option(USE_PCSC "Enable experimental PCSC support" OFF) option(USE_WINHELLO "Abstract Windows Hello as a FIDO device" ON) @@ -49,6 +49,14 @@ add_definitions(-D_FIDO_MINOR=${FIDO_MINOR}) add_definitions(-D_FIDO_PATCH=${FIDO_PATCH}) +if(BUILD_SHARED_LIBS) + set(_FIDO2_LIBRARY fido2_shared) +elseif(BUILD_STATIC_LIBS) + set(_FIDO2_LIBRARY fido2) +else() + message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)") +endif() + if(CYGWIN OR MSYS OR MINGW) set(WIN32 1) endif() @@ -151,7 +159,7 @@ endif() endforeach() -if(HAVE_EXPLICIT_BZERO AND NOT LIBFUZZER) +if(HAVE_EXPLICIT_BZERO AND NOT FUZZ) add_definitions(-DHAVE_EXPLICIT_BZERO) endif() @@ -159,19 +167,30 @@ add_definitions(-DHAVE_DEV_URANDOM) endif() + if(MSVC) if((NOT CBOR_INCLUDE_DIRS) OR (NOT CBOR_LIBRARY_DIRS) OR - (NOT CBOR_BIN_DIRS) OR (NOT CRYPTO_INCLUDE_DIRS) OR - (NOT CRYPTO_LIBRARY_DIRS) OR (NOT CRYPTO_BIN_DIRS) OR - (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS) OR - (NOT ZLIB_BIN_DIRS)) + (NOT CRYPTO_INCLUDE_DIRS) OR (NOT CRYPTO_LIBRARY_DIRS) OR + (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS)) message(FATAL_ERROR "please define " - "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY,BIN}_DIRS when " + "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY}_DIRS when " "building under msvc") endif() - set(CBOR_LIBRARIES cbor) - set(ZLIB_LIBRARIES zlib1) - set(CRYPTO_LIBRARIES crypto-49) + if(BUILD_TESTS AND BUILD_SHARED_LIBS AND + ((NOT CBOR_BIN_DIRS) OR (NOT ZLIB_BIN_DIRS) OR (NOT CRYPTO_BIN_DIRS))) + message(FATAL_ERROR "please define {CBOR,CRYPTO,ZLIB}_BIN_DIRS " + "when building tests") + endif() + if(NOT CBOR_LIBRARIES) + set(CBOR_LIBRARIES cbor) + endif() + if(NOT ZLIB_LIBRARIES) + set(ZLIB_LIBRARIES zlib1) + endif() + if(NOT CRYPTO_LIBRARIES) + set(CRYPTO_LIBRARIES crypto) + endif() + set(MSVC_DISABLED_WARNINGS_LIST "C4152" # nonstandard extension used: function/data pointer # conversion in expression; @@ -213,8 +232,12 @@ message(FATAL_ERROR "could not find zlib") endif() - set(CBOR_LIBRARIES "cbor") - set(CRYPTO_LIBRARIES "crypto") + if(NOT CBOR_LIBRARIES) + set(CBOR_LIBRARIES "cbor") + endif() + if(NOT CRYPTO_LIBRARIES) + set(CRYPTO_LIBRARIES "crypto") + endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") pkg_search_module(UDEV libudev REQUIRED) @@ -305,9 +328,7 @@ add_definitions(-DOPENSSL_API_COMPAT=0x10100000L) endif() - if(LIBFUZZER) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link") - else() + if(NOT FUZZ) set(EXTRA_CFLAGS "${EXTRA_CFLAGS} -Wframe-larger-than=2047") endif() endif() @@ -391,6 +412,9 @@ message(STATUS "CBOR_INCLUDE_DIRS: ${CBOR_INCLUDE_DIRS}") message(STATUS "CBOR_LIBRARIES: ${CBOR_LIBRARIES}") message(STATUS "CBOR_LIBRARY_DIRS: ${CBOR_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "CBOR_BIN_DIRS: ${CBOR_BIN_DIRS}") +endif() message(STATUS "CBOR_VERSION: ${CBOR_VERSION}") message(STATUS "CMAKE_BUILD_TYPE: ${CMAKE_BUILD_TYPE}") message(STATUS "CMAKE_C_COMPILER: ${CMAKE_C_COMPILER}") @@ -408,12 +432,21 @@ message(STATUS "CRYPTO_INCLUDE_DIRS: ${CRYPTO_INCLUDE_DIRS}") message(STATUS "CRYPTO_LIBRARIES: ${CRYPTO_LIBRARIES}") message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "CRYPTO_BIN_DIRS: ${CRYPTO_BIN_DIRS}") +endif() message(STATUS "CRYPTO_VERSION: ${CRYPTO_VERSION}") message(STATUS "FIDO_VERSION: ${FIDO_VERSION}") message(STATUS "FUZZ: ${FUZZ}") +if(FUZZ) + message(STATUS "FUZZ_LDFLAGS: ${FUZZ_LDFLAGS}") +endif() message(STATUS "ZLIB_INCLUDE_DIRS: ${ZLIB_INCLUDE_DIRS}") message(STATUS "ZLIB_LIBRARIES: ${ZLIB_LIBRARIES}") message(STATUS "ZLIB_LIBRARY_DIRS: ${ZLIB_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "ZLIB_BIN_DIRS: ${ZLIB_BIN_DIRS}") +endif() message(STATUS "ZLIB_VERSION: ${ZLIB_VERSION}") if(USE_HIDAPI) message(STATUS "HIDAPI_INCLUDE_DIRS: ${HIDAPI_INCLUDE_DIRS}") @@ -425,7 +458,6 @@ message(STATUS "PCSC_LIBRARIES: ${PCSC_LIBRARIES}") message(STATUS "PCSC_LIBRARY_DIRS: ${PCSC_LIBRARY_DIRS}") message(STATUS "PCSC_VERSION: ${PCSC_VERSION}") -message(STATUS "LIBFUZZER: ${LIBFUZZER}") message(STATUS "TLS: ${TLS}") message(STATUS "UDEV_INCLUDE_DIRS: ${UDEV_INCLUDE_DIRS}") message(STATUS "UDEV_LIBRARIES: ${UDEV_LIBRARIES}") @@ -437,33 +469,30 @@ message(STATUS "USE_WINHELLO: ${USE_WINHELLO}") message(STATUS "NFC_LINUX: ${NFC_LINUX}") -if(BUILD_SHARED_LIBS) - set(_FIDO2_LIBRARY fido2_shared) -elseif(BUILD_STATIC_LIBS) - set(_FIDO2_LIBRARY fido2) -else() - message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)") +if(BUILD_TESTS) + enable_testing() endif() -enable_testing() +add_subdirectory(src) -subdirs(src) -subdirs(regress) +if(BUILD_TESTS) + add_subdirectory(regress) +endif() if(BUILD_EXAMPLES) - subdirs(examples) + add_subdirectory(examples) endif() if(BUILD_TOOLS) - subdirs(tools) + add_subdirectory(tools) endif() if(BUILD_MANPAGES) - subdirs(man) + add_subdirectory(man) endif() if(NOT WIN32) if(FUZZ) - subdirs(fuzz) + add_subdirectory(fuzz) endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") - subdirs(udev) + add_subdirectory(udev) endif() endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/LICENSE new/libfido2-1.13.0/LICENSE --- old/libfido2-1.12.0/LICENSE 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/LICENSE 2023-02-20 09:21:28.000000000 +0100 @@ -1,4 +1,4 @@ -Copyright (c) 2018-2022 Yubico AB. All rights reserved. +Copyright (c) 2018-2023 Yubico AB. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/NEWS new/libfido2-1.13.0/NEWS --- old/libfido2-1.12.0/NEWS 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/NEWS 2023-02-20 09:21:28.000000000 +0100 @@ -1,3 +1,11 @@ +* Version 1.13.0 (2023-02-20) + ** Support for linking against OpenSSL on Windows; gh#668. + ** New API calls: + - fido_assert_empty_allow_list; + - fido_cred_empty_exclude_list. + ** fido2-token: fix issue when listing large blobs. + ** Improved support for different fuzzing engines. + * Version 1.12.0 (2022-09-22) ** Support for COSE_ES384. ** Support for hidraw(4) on FreeBSD; gh#597. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/README.adoc new/libfido2-1.13.0/README.adoc --- old/libfido2-1.12.0/README.adoc 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/README.adoc 2023-02-20 09:21:28.000000000 +0100 @@ -38,7 +38,7 @@ === Releases -The current release of *libfido2* is 1.12.0. Signed release tarballs are +The current release of *libfido2* is 1.13.0. Signed release tarballs are available at Yubico's https://developers.yubico.com/libfido2/Releases[release page]. @@ -119,7 +119,6 @@ | BUILD_STATIC_LIBS | Build a static library | ON | BUILD_TOOLS | Build auxiliary tools | ON | FUZZ | Enable fuzzing instrumentation | OFF -| LIBFUZZER | Build libfuzzer harnesses | OFF | NFC_LINUX | Enable netlink NFC support on Linux | ON | USE_HIDAPI | Use hidapi as the HID backend | OFF | USE_PCSC | Enable experimental PCSC support | OFF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/examples/README.adoc new/libfido2-1.13.0/examples/README.adoc --- old/libfido2-1.12.0/examples/README.adoc 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/examples/README.adoc 2023-02-20 09:21:28.000000000 +0100 @@ -20,8 +20,7 @@ - <pubkey> - The file system path of a file containing a NIST P-256 public key in - PEM format. + The file system path of a file containing a public key in PEM format. - <blobkey> @@ -72,8 +71,10 @@ Asks <device> for a FIDO2 assertion corresponding to [cred_id], which may be omitted for resident keys. The obtained assertion is verified using <pubkey>. The -p option requests that the user - be present. User verification may be requested through the -v - option. If option -u is specified, the assertion is generated using + be present and checks whether the user presence bit was signed by the + authenticator. The -v option requests user verification and checks + whether the user verification bit was signed by the authenticator. + If option -u is specified, the assertion is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is specified, a FIDO2 hmac-secret is requested from the authenticator, and the contents of <hmac_salt> are used as the salt. If option -h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/CMakeLists.txt new/libfido2-1.13.0/fuzz/CMakeLists.txt --- old/libfido2-1.12.0/fuzz/CMakeLists.txt 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/CMakeLists.txt 2023-02-20 09:21:28.000000000 +0100 @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Yubico AB. All rights reserved. +# Copyright (c) 2019-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -13,58 +13,70 @@ mutator_aux.c ) -set(FUZZ_LDFLAGS "-fsanitize=fuzzer") +# XXX: OSS-Fuzz require linking using CXX +set(FUZZ_LINKER_LANGUAGE "C" CACHE STRING "Linker language for fuzz harnesses") +mark_as_advanced(FUZZ_LINKER_LANGUAGE) +enable_language(${FUZZ_LINKER_LANGUAGE}) # fuzz_cred add_executable(fuzz_cred fuzz_cred.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_cred PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_cred PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_cred PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_cred fido2_shared) # fuzz_assert add_executable(fuzz_assert fuzz_assert.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_assert PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_assert PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_assert PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_assert fido2_shared) # fuzz_mgmt add_executable(fuzz_mgmt fuzz_mgmt.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_mgmt PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_mgmt PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_mgmt PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_mgmt fido2_shared) # fuzz_credman add_executable(fuzz_credman fuzz_credman.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_credman PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_credman PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_credman PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_credman fido2_shared) # fuzz_bio add_executable(fuzz_bio fuzz_bio.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_bio PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_bio PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_bio PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_bio fido2_shared) # fuzz_hid add_executable(fuzz_hid fuzz_hid.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_hid PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_hid PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_hid PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_hid fido2_shared) # fuzz_netlink add_executable(fuzz_netlink fuzz_netlink.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_netlink PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_netlink PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_netlink PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_netlink fido2_shared) # fuzz_largeblob add_executable(fuzz_largeblob fuzz_largeblob.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_largeblob PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_largeblob PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_largeblob PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_largeblob fido2_shared) # fuzz_pcsc add_executable(fuzz_pcsc fuzz_pcsc.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_pcsc PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_pcsc PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_pcsc PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_pcsc fido2_shared) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/Dockerfile new/libfido2-1.13.0/fuzz/Dockerfile --- old/libfido2-1.12.0/fuzz/Dockerfile 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/Dockerfile 2023-02-20 09:21:28.000000000 +0100 @@ -1,4 +1,4 @@ -# Copyright (c) 2019-2022 Yubico AB. All rights reserved. +# Copyright (c) 2019-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -10,7 +10,7 @@ RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev RUN apk add sudo tar zlib-dev -RUN git clone --branch v0.9.0 --depth=1 https://github.com/PJK/libcbor +RUN git clone --branch v0.10.1 --depth=1 https://github.com/PJK/libcbor RUN git clone --depth=1 https://github.com/yubico/libfido2 WORKDIR /libfido2 RUN ./fuzz/build-coverage /libcbor /libfido2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/Makefile new/libfido2-1.13.0/fuzz/Makefile --- old/libfido2-1.12.0/fuzz/Makefile 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/Makefile 2023-02-20 09:21:28.000000000 +0100 @@ -1,9 +1,9 @@ -# Copyright (c) 2019-2022 Yubico AB. All rights reserved. +# Copyright (c) 2019-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause -IMAGE := libfido2-coverage:1.12.2 +IMAGE := libfido2-coverage:1.13.1 RUNNER := libfido2-runner PROFDATA := llvm-profdata COV := llvm-cov diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/README new/libfido2-1.13.0/fuzz/README --- old/libfido2-1.12.0/fuzz/README 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/README 2023-02-20 09:21:28.000000000 +0100 @@ -8,7 +8,8 @@ libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c, fuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these -harnesses, use -DFUZZ=ON -DLIBFUZZER=ON. +harnesses, use -DCMAKE_C_FLAGS=-fsanitize=fuzzer-no-link +-DFUZZ_LDFLAGS=-fsanitize=fuzzer -DFUZZ=ON. If -DFUZZ=ON is enabled, symbols listed in wrapped.sym are wrapped in the resulting shared object. The wrapper functions simulate failure according to a @@ -21,20 +22,22 @@ libcbor and OpenSSL built with the respective sanitiser. In order to keep memory utilisation at a manageable level, you can either enforce limits at the OS level (e.g. cgroups on Linux), or patch libcbor with the diff below. +N.B., the patch below is relative to libcbor 0.10.1. diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c -index aa049a2..e294b38 100644 +index bbea63c..3f7c9af 100644 --- src/cbor/internal/memory_utils.c +++ src/cbor/internal/memory_utils.c -@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) { +@@ -41,7 +41,11 @@ size_t _cbor_safe_signaling_add(size_t a, size_t b) { void* _cbor_alloc_multiple(size_t item_size, size_t item_count) { if (_cbor_safe_to_multiply(item_size, item_count)) { -- return _CBOR_MALLOC(item_size * item_count); +- return _cbor_malloc(item_size * item_count); + if (item_count > 1000) { + return NULL; -+ } else -+ return _CBOR_MALLOC(item_size * item_count); ++ } else { ++ return _cbor_malloc(item_size * item_count); ++ } } else { return NULL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/build-coverage new/libfido2-1.13.0/fuzz/build-coverage --- old/libfido2-1.12.0/fuzz/build-coverage 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/build-coverage 2023-02-20 09:21:28.000000000 +0100 @@ -26,7 +26,9 @@ # Build libfido2. mkdir -p "${LIBFIDO2}/build" export CFLAGS="-fprofile-instr-generate -fcoverage-mapping" +export CFLAGS="${CFLAGS} -fsanitize=fuzzer-no-link" export LDFLAGS="${CFLAGS}" -(cd "${LIBFIDO2}/build" && cmake -DFUZZ=ON -DLIBFUZZER=ON \ - -DCMAKE_BUILD_TYPE=Debug ..) +export FUZZ_LDFLAGS="${LDFLAGS} -fsanitize=fuzzer" +(cd "${LIBFIDO2}/build" && cmake -DFUZZ=ON -DFUZZ_LDFLAGS="${FUZZ_LDFLAGS}" \ + -DCMAKE_BUILD_TYPE=Debug ..) make -C "${LIBFIDO2}/build" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_assert.c new/libfido2-1.13.0/fuzz/fuzz_assert.c --- old/libfido2-1.12.0/fuzz/fuzz_assert.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_assert.c 2023-02-20 09:21:28.000000000 +0100 @@ -141,7 +141,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_bio.c new/libfido2-1.13.0/fuzz/fuzz_bio.c --- old/libfido2-1.12.0/fuzz/fuzz_bio.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_bio.c 2023-02-20 09:21:28.000000000 +0100 @@ -155,7 +155,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_cred.c new/libfido2-1.13.0/fuzz/fuzz_cred.c --- old/libfido2-1.12.0/fuzz/fuzz_cred.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_cred.c 2023-02-20 09:21:28.000000000 +0100 @@ -151,7 +151,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_credman.c new/libfido2-1.13.0/fuzz/fuzz_credman.c --- old/libfido2-1.12.0/fuzz/fuzz_credman.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_credman.c 2023-02-20 09:21:28.000000000 +0100 @@ -142,7 +142,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_hid.c new/libfido2-1.13.0/fuzz/fuzz_hid.c --- old/libfido2-1.12.0/fuzz/fuzz_hid.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_hid.c 2023-02-20 09:21:28.000000000 +0100 @@ -105,7 +105,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_largeblob.c new/libfido2-1.13.0/fuzz/fuzz_largeblob.c --- old/libfido2-1.12.0/fuzz/fuzz_largeblob.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_largeblob.c 2023-02-20 09:21:28.000000000 +0100 @@ -119,7 +119,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_mgmt.c new/libfido2-1.13.0/fuzz/fuzz_mgmt.c --- old/libfido2-1.12.0/fuzz/fuzz_mgmt.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_mgmt.c 2023-02-20 09:21:28.000000000 +0100 @@ -139,7 +139,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_netlink.c new/libfido2-1.13.0/fuzz/fuzz_netlink.c --- old/libfido2-1.12.0/fuzz/fuzz_netlink.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_netlink.c 2023-02-20 09:21:28.000000000 +0100 @@ -76,7 +76,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/fuzz/fuzz_pcsc.c new/libfido2-1.13.0/fuzz/fuzz_pcsc.c --- old/libfido2-1.12.0/fuzz/fuzz_pcsc.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/fuzz/fuzz_pcsc.c 2023-02-20 09:21:28.000000000 +0100 @@ -94,7 +94,7 @@ goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/man/CMakeLists.txt new/libfido2-1.13.0/man/CMakeLists.txt --- old/libfido2-1.12.0/man/CMakeLists.txt 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/man/CMakeLists.txt 2023-02-20 09:21:28.000000000 +0100 @@ -59,6 +59,7 @@ es384_pk_new es384_pk_from_EVP_PKEY es384_pk_new es384_pk_from_ptr es384_pk_new es384_pk_to_EVP_PKEY + fido_assert_allow_cred fido_assert_empty_allow_list fido_assert_new fido_assert_authdata_len fido_assert_new fido_assert_authdata_ptr fido_assert_new fido_assert_blob_len @@ -149,6 +150,7 @@ fido_cbor_info_new fido_cbor_info_versions_len fido_cbor_info_new fido_cbor_info_versions_ptr fido_cbor_info_new fido_dev_get_cbor_info + fido_cred_exclude fido_cred_empty_exclude_list fido_cred_new fido_cred_aaguid_len fido_cred_new fido_cred_aaguid_ptr fido_cred_new fido_cred_attstmt_len @@ -295,7 +297,7 @@ # man_html foreach(f ${MAN_SOURCES}) - string(REGEX REPLACE ".[13]" "" g ${f}) + string(REGEX REPLACE "\\.[13]$" "" g ${f}) add_custom_command(OUTPUT ${g}.html COMMAND mandoc -T html -O man="%N.html",style=style.css -I os="Yubico AB" ${f} > ${g}.html DEPENDS ${f}) @@ -304,7 +306,7 @@ # man_html_partial foreach(f ${MAN_SOURCES}) - string(REGEX REPLACE ".[13]" "" g ${f}) + string(REGEX REPLACE "\\.[13]$" "" g ${f}) add_custom_command(OUTPUT ${g}.partial COMMAND cat ${PROJECT_SOURCE_DIR}/man/dyc.css > ${g}.partial COMMAND mandoc -T html -O man="%N.html",fragment ${f} >> ${g}.partial @@ -357,7 +359,7 @@ install(FILES ${PROJECT_SOURCE_DIR}/man/style.css DESTINATION "${CMAKE_INSTALL_DOCDIR}/html") foreach(f ${MAN_SOURCES}) - string(REGEX REPLACE ".[13]" "" f ${f}) + string(REGEX REPLACE "\\.[13]$" "" f ${f}) install(FILES ${PROJECT_BINARY_DIR}/man/${f}.html DESTINATION "${CMAKE_INSTALL_DOCDIR}/html") endforeach() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/man/fido_assert_allow_cred.3 new/libfido2-1.13.0/man/fido_assert_allow_cred.3 --- old/libfido2-1.12.0/man/fido_assert_allow_cred.3 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/man/fido_assert_allow_cred.3 2023-02-20 09:21:28.000000000 +0100 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2018 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions are @@ -25,16 +25,19 @@ .\" .\" SPDX-License-Identifier: BSD-2-Clause .\" -.Dd $Mdocdate: May 23 2018 $ +.Dd $Mdocdate: December 1 2022 $ .Dt FIDO_ASSERT_ALLOW_CRED 3 .Os .Sh NAME -.Nm fido_assert_allow_cred -.Nd allow a credential in a FIDO2 assertion +.Nm fido_assert_allow_cred , +.Nm fido_assert_empty_allow_list +.Nd manage allow lists in a FIDO2 assertion .Sh SYNOPSIS .In fido.h .Ft int .Fn fido_assert_allow_cred "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" +.Ft int +.Fn fido_assert_empty_allow_list "fido_assert_t *assert" .Sh DESCRIPTION The .Fn fido_assert_allow_cred @@ -56,9 +59,16 @@ .Pp For the format of a FIDO2 credential ID, please refer to the Web Authentication (webauthn) standard. +.Pp +The +.Fn fido_assert_empty_allow_list +function empties the list of credentials allowed in +.Fa assert . .Sh RETURN VALUES The error codes returned by .Fn fido_assert_allow_cred +and +.Fn fido_assert_empty_allow_list are defined in .In fido/err.h . On success, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/man/fido_cred_exclude.3 new/libfido2-1.13.0/man/fido_cred_exclude.3 --- old/libfido2-1.12.0/man/fido_cred_exclude.3 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/man/fido_cred_exclude.3 2023-02-20 09:21:28.000000000 +0100 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2018 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions are @@ -25,16 +25,19 @@ .\" .\" SPDX-License-Identifier: BSD-2-Clause .\" -.Dd $Mdocdate: May 23 2018 $ +.Dd $Mdocdate: December 2 2022 $ .Dt FIDO_CRED_EXCLUDE 3 .Os .Sh NAME -.Nm fido_cred_exclude -.Nd appends a credential ID to a credential's list of excluded credentials +.Nm fido_cred_exclude , +.Nm fido_cred_empty_exclude_list +.Nd manage exclude lists in a FIDO2 credential .Sh SYNOPSIS .In fido.h .Ft int .Fn fido_cred_exclude "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" +.Ft int +.Fn fido_cred_empty_exclude_list "fido_cred_t *cred" .Sh DESCRIPTION The .Fn fido_cred_exclude @@ -69,9 +72,16 @@ .Pp For the format of a FIDO2 credential ID, please refer to the Web Authentication (webauthn) standard. +.Pp +The +.Fn fido_cred_empty_exclude_list +function empties the list of credentials excluded by +.Fa cred . .Sh RETURN VALUES The error codes returned by .Fn fido_cred_exclude +and +.Fn fido_cred_empty_exclude_list are defined in .In fido/err.h . On success, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/assert.c new/libfido2-1.13.0/src/assert.c --- old/libfido2-1.12.0/src/assert.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/assert.c 2023-02-20 09:21:28.000000000 +0100 @@ -673,7 +673,15 @@ free(id.ptr); return (r); +} +int +fido_assert_empty_allow_list(fido_assert_t *assert) +{ + fido_free_blob_array(&assert->allow_list); + memset(&assert->allow_list, 0, sizeof(assert->allow_list)); + + return (FIDO_OK); } int @@ -740,9 +748,8 @@ fido_blob_reset(&assert->cd); fido_blob_reset(&assert->cdh); fido_blob_reset(&assert->ext.hmac_salt); - fido_free_blob_array(&assert->allow_list); + fido_assert_empty_allow_list(assert); memset(&assert->ext, 0, sizeof(assert->ext)); - memset(&assert->allow_list, 0, sizeof(assert->allow_list)); assert->rp_id = NULL; assert->up = FIDO_OPT_OMIT; assert->uv = FIDO_OPT_OMIT; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/cred.c new/libfido2-1.13.0/src/cred.c --- old/libfido2-1.12.0/src/cred.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/cred.c 2023-02-20 09:21:28.000000000 +0100 @@ -562,11 +562,10 @@ free(cred->user.icon); free(cred->user.name); free(cred->user.display_name); - fido_free_blob_array(&cred->excl); + fido_cred_empty_exclude_list(cred); memset(&cred->rp, 0, sizeof(cred->rp)); memset(&cred->user, 0, sizeof(cred->user)); - memset(&cred->excl, 0, sizeof(cred->excl)); memset(&cred->ext, 0, sizeof(cred->ext)); cred->type = 0; @@ -764,6 +763,15 @@ return (FIDO_OK); } + +int +fido_cred_empty_exclude_list(fido_cred_t *cred) +{ + fido_free_blob_array(&cred->excl); + memset(&cred->excl, 0, sizeof(cred->excl)); + + return (FIDO_OK); +} int fido_cred_set_clientdata(fido_cred_t *cred, const unsigned char *data, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/eddsa.c new/libfido2-1.13.0/src/eddsa.c --- old/libfido2-1.12.0/src/eddsa.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/eddsa.c 2023-02-20 09:21:28.000000000 +0100 @@ -11,7 +11,7 @@ #include "fido.h" #include "fido/eddsa.h" -#if defined(LIBRESSL_VERSION_NUMBER) +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000f EVP_PKEY * EVP_PKEY_new_raw_public_key(int type, ENGINE *e, const unsigned char *key, size_t keylen) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/export.gnu new/libfido2-1.13.0/src/export.gnu --- old/libfido2-1.12.0/src/export.gnu 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/export.gnu 2023-02-20 09:21:28.000000000 +0100 @@ -25,6 +25,7 @@ fido_assert_clientdata_hash_len; fido_assert_clientdata_hash_ptr; fido_assert_count; + fido_assert_empty_allow_list; fido_assert_flags; fido_assert_free; fido_assert_hmac_secret_len; @@ -125,6 +126,7 @@ fido_cred_clientdata_hash_len; fido_cred_clientdata_hash_ptr; fido_cred_display_name; + fido_cred_empty_exclude_list; fido_cred_exclude; fido_cred_flags; fido_cred_largeblob_key_len; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/export.llvm new/libfido2-1.13.0/src/export.llvm --- old/libfido2-1.12.0/src/export.llvm 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/export.llvm 2023-02-20 09:21:28.000000000 +0100 @@ -23,6 +23,7 @@ _fido_assert_clientdata_hash_len _fido_assert_clientdata_hash_ptr _fido_assert_count +_fido_assert_empty_allow_list _fido_assert_flags _fido_assert_free _fido_assert_hmac_secret_len @@ -123,6 +124,7 @@ _fido_cred_clientdata_hash_len _fido_cred_clientdata_hash_ptr _fido_cred_display_name +_fido_cred_empty_exclude_list _fido_cred_exclude _fido_cred_flags _fido_cred_largeblob_key_len diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/export.msvc new/libfido2-1.13.0/src/export.msvc --- old/libfido2-1.12.0/src/export.msvc 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/export.msvc 2023-02-20 09:21:28.000000000 +0100 @@ -24,6 +24,7 @@ fido_assert_clientdata_hash_len fido_assert_clientdata_hash_ptr fido_assert_count +fido_assert_empty_allow_list fido_assert_flags fido_assert_free fido_assert_hmac_secret_len @@ -124,6 +125,7 @@ fido_cred_clientdata_hash_len fido_cred_clientdata_hash_ptr fido_cred_display_name +fido_cred_empty_exclude_list fido_cred_exclude fido_cred_flags fido_cred_largeblob_key_len diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/fido/eddsa.h new/libfido2-1.13.0/src/fido/eddsa.h --- old/libfido2-1.12.0/src/fido/eddsa.h 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/fido/eddsa.h 2023-02-20 09:21:28.000000000 +0100 @@ -53,7 +53,7 @@ #ifdef _FIDO_INTERNAL -#if defined(LIBRESSL_VERSION_NUMBER) +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000f #define EVP_PKEY_ED25519 EVP_PKEY_NONE int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *); EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/fido.h new/libfido2-1.13.0/src/fido.h --- old/libfido2-1.12.0/src/fido.h 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/fido.h 2023-02-20 09:21:28.000000000 +0100 @@ -124,6 +124,7 @@ const unsigned char *fido_cred_x5c_ptr(const fido_cred_t *); int fido_assert_allow_cred(fido_assert_t *, const unsigned char *, size_t); +int fido_assert_empty_allow_list(fido_assert_t *); int fido_assert_set_authdata(fido_assert_t *, size_t, const unsigned char *, size_t); int fido_assert_set_authdata_raw(fido_assert_t *, size_t, const unsigned char *, @@ -143,6 +144,7 @@ int fido_assert_set_sig(fido_assert_t *, size_t, const unsigned char *, size_t); int fido_assert_verify(const fido_assert_t *, size_t, int, const void *); int fido_cbor_info_algorithm_cose(const fido_cbor_info_t *, size_t); +int fido_cred_empty_exclude_list(fido_cred_t *); int fido_cred_exclude(fido_cred_t *, const unsigned char *, size_t); int fido_cred_prot(const fido_cred_t *); int fido_cred_set_attstmt(fido_cred_t *, const unsigned char *, size_t); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/tpm.c new/libfido2-1.13.0/src/tpm.c --- old/libfido2-1.12.0/src/tpm.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/tpm.c 2023-02-20 09:21:28.000000000 +0100 @@ -48,7 +48,7 @@ /* Part 2, 10.4.3: TPM2B_DATA */ PACKED_TYPE(tpm_sha1_data_t, struct tpm_sha1_data { - uint16_t size; /* sizeof(body */ + uint16_t size; /* sizeof(body) */ uint8_t body[20]; }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/src/winhello.c new/libfido2-1.13.0/src/winhello.c --- old/libfido2-1.12.0/src/winhello.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/src/winhello.c 2023-02-20 09:21:28.000000000 +0100 @@ -85,7 +85,7 @@ fido_log_debug("%s: already loaded", __func__); return -1; } - if ((webauthn_handle = LoadLibrary("webauthn.dll")) == NULL) { + if ((webauthn_handle = LoadLibrary(TEXT("webauthn.dll"))) == NULL) { fido_log_debug("%s: LoadLibrary", __func__); return -1; } @@ -472,12 +472,8 @@ { int r; - if (wa->cbAuthenticatorData > SIZE_MAX) { - fido_log_debug("%s: cbAuthenticatorData", __func__); - return -1; - } if ((r = fido_assert_set_authdata_raw(assert, 0, wa->pbAuthenticatorData, - (size_t)wa->cbAuthenticatorData)) != FIDO_OK) { + wa->cbAuthenticatorData)) != FIDO_OK) { fido_log_debug("%s: fido_assert_set_authdata_raw: %s", __func__, fido_strerr(r)); return -1; @@ -491,12 +487,8 @@ { int r; - if (wa->cbSignature > SIZE_MAX) { - fido_log_debug("%s: cbSignature", __func__); - return -1; - } if ((r = fido_assert_set_sig(assert, 0, wa->pbSignature, - (size_t)wa->cbSignature)) != FIDO_OK) { + wa->cbSignature)) != FIDO_OK) { fido_log_debug("%s: fido_assert_set_sig: %s", __func__, fido_strerr(r)); return -1; @@ -508,12 +500,8 @@ static int unpack_cred_id(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) { - if (wa->Credential.cbId > SIZE_MAX) { - fido_log_debug("%s: Credential.cbId", __func__); - return -1; - } if (fido_blob_set(&assert->stmt[0].id, wa->Credential.pbId, - (size_t)wa->Credential.cbId) < 0) { + wa->Credential.cbId) < 0) { fido_log_debug("%s: fido_blob_set", __func__); return -1; } @@ -526,12 +514,8 @@ { if (wa->cbUserId == 0) return 0; /* user id absent */ - if (wa->cbUserId > SIZE_MAX) { - fido_log_debug("%s: cbUserId", __func__); - return -1; - } if (fido_blob_set(&assert->stmt[0].user.id, wa->pbUserId, - (size_t)wa->cbUserId) < 0) { + wa->cbUserId) < 0) { fido_log_debug("%s: fido_blob_set", __func__); return -1; } @@ -549,7 +533,6 @@ } if (wa->pHmacSecret == NULL || wa->pHmacSecret->cbFirst == 0 || - wa->pHmacSecret->cbFirst > SIZE_MAX || wa->pHmacSecret->pbFirst == NULL) { fido_log_debug("%s: hmac-secret absent", __func__); return 0; /* proceed without hmac-secret */ @@ -564,7 +547,7 @@ return -1; } if (fido_blob_set(&assert->stmt[0].hmac_secret, - wa->pHmacSecret->pbFirst, (size_t)wa->pHmacSecret->cbFirst) < 0) { + wa->pHmacSecret->pbFirst, wa->pHmacSecret->cbFirst) < 0) { fido_log_debug("%s: fido_blob_set", __func__); return -1; } @@ -752,13 +735,12 @@ struct cbor_load_result cbor; int r = FIDO_ERR_INTERNAL; - if (att->pbAttestationObject == NULL || - att->cbAttestationObject > SIZE_MAX) { + if (att->pbAttestationObject == NULL) { fido_log_debug("%s: pbAttestationObject", __func__); goto fail; } if ((item = cbor_load(att->pbAttestationObject, - (size_t)att->cbAttestationObject, &cbor)) == NULL) { + att->cbAttestationObject, &cbor)) == NULL) { fido_log_debug("%s: cbor_load", __func__); goto fail; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/tools/largeblob.c new/libfido2-1.13.0/tools/largeblob.c --- old/libfido2-1.12.0/tools/largeblob.c 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/tools/largeblob.c 2023-02-20 09:21:28.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020 Yubico AB. All rights reserved. + * Copyright (c) 2020-2022 Yubico AB. All rights reserved. * Use of this source code is governed by a BSD-style * license that can be found in the LICENSE file. * SPDX-License-Identifier: BSD-2-Clause @@ -25,6 +25,8 @@ #include "../openbsd-compat/openbsd-compat.h" #include "extern.h" +#define BOUND (1024UL * 1024UL) + struct rkmap { fido_credman_rp_t *rp; /* known rps */ fido_credman_rk_t **rk; /* rk per rp */ @@ -303,35 +305,57 @@ } static int -decompress(const struct blob *plaintext, uint64_t origsiz) +try_decompress(const struct blob *in, uint64_t origsiz, int wbits) { - struct blob inflated; - u_long ilen, plen; + struct blob out; + z_stream zs; + u_int ilen, olen; int ok = -1; - memset(&inflated, 0, sizeof(inflated)); + memset(&zs, 0, sizeof(zs)); + memset(&out, 0, sizeof(out)); - if (plaintext->len > ULONG_MAX) + if (in->len > UINT_MAX || (ilen = (u_int)in->len) > BOUND) return -1; - if (origsiz > ULONG_MAX || origsiz > SIZE_MAX) + if (origsiz > SIZE_MAX || origsiz > UINT_MAX || + (olen = (u_int)origsiz) > BOUND) return -1; - plen = (u_long)plaintext->len; - ilen = (u_long)origsiz; - inflated.len = (size_t)origsiz; - if ((inflated.ptr = calloc(1, inflated.len)) == NULL) + if (inflateInit2(&zs, wbits) != Z_OK) return -1; - if (uncompress(inflated.ptr, &ilen, plaintext->ptr, plen) != Z_OK || - ilen > SIZE_MAX || (size_t)ilen != (size_t)origsiz) - goto out; - ok = 0; /* success */ -out: - freezero(inflated.ptr, inflated.len); + if ((out.ptr = calloc(1, olen)) == NULL) + goto fail; + + out.len = olen; + zs.next_in = in->ptr; + zs.avail_in = ilen; + zs.next_out = out.ptr; + zs.avail_out = olen; + + if (inflate(&zs, Z_FINISH) != Z_STREAM_END) + goto fail; + if (zs.avail_out != 0) + goto fail; + + ok = 0; +fail: + if (inflateEnd(&zs) != Z_OK) + ok = -1; + + freezero(out.ptr, out.len); return ok; } static int +decompress(const struct blob *plaintext, uint64_t origsiz) +{ + if (try_decompress(plaintext, origsiz, MAX_WBITS) == 0) /* rfc1950 */ + return 0; + return try_decompress(plaintext, origsiz, -MAX_WBITS); /* rfc1951 */ +} + +static int decode(const struct blob *ciphertext, const struct blob *nonce, uint64_t origsiz, const fido_cred_t *cred) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/udev/70-u2f.rules new/libfido2-1.13.0/udev/70-u2f.rules --- old/libfido2-1.12.0/udev/70-u2f.rules 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/udev/70-u2f.rules 2023-02-20 09:21:28.000000000 +0100 @@ -216,6 +216,9 @@ # TrustKey Solutions FIDO2 G310 by eWBM Co., Ltd. KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a", TAG+="uaccess", GROUP="plugdev", MODE="0660" +# TrustKey Solutions FIDO2 G310H/G320H by eWBM Co., Ltd. +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a2a", TAG+="uaccess", GROUP="plugdev", MODE="0660" + # TrustKey Solutions FIDO2 G320 by eWBM Co., Ltd. KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4c2a", TAG+="uaccess", GROUP="plugdev", MODE="0660" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/udev/fidodevs new/libfido2-1.13.0/udev/fidodevs --- old/libfido2-1.12.0/udev/fidodevs 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/udev/fidodevs 2023-02-20 09:21:28.000000000 +0100 @@ -115,6 +115,7 @@ product HYPERSECU 0x0880 Hypersecu HyperFIDO product EWBM 0x4a1a TrustKey Solutions FIDO2 G310 +product EWBM 0x4a2a TrustKey Solutions FIDO2 G310H/G320H product EWBM 0x4c2a TrustKey Solutions FIDO2 G320 product EWBM 0x5c2f eWBM FIDO2 Goldengate G500 product EWBM 0xa6e9 TrustKey Solutions FIDO2 T120 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/windows/build.ps1 new/libfido2-1.13.0/windows/build.ps1 --- old/libfido2-1.12.0/windows/build.ps1 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/windows/build.ps1 2023-02-20 09:21:28.000000000 +0100 @@ -163,8 +163,8 @@ & $CMake ..\..\..\${LIBCBOR} -A "${Arch}" ` -DWITH_EXAMPLES=OFF ` -DBUILD_SHARED_LIBS="${SHARED}" ` - -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG}" ` - -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE}" ` + -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG} /wd4703" ` + -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE} /wd4703" ` -DCMAKE_INSTALL_PREFIX="${PREFIX}" "${CMAKE_SYSTEM_VERSION}"; ` ExitOnError & $CMake --build . --config ${Config} --verbose; ExitOnError @@ -219,6 +219,7 @@ -DCRYPTO_INCLUDE_DIRS="${PREFIX}\include" ` -DCRYPTO_LIBRARY_DIRS="${PREFIX}\lib" ` -DCRYPTO_BIN_DIRS="${PREFIX}\bin" ` + -DCRYPTO_LIBRARIES="${CRYPTO_LIBRARIES}" ` -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG} ${Fido2Flags}" ` -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE} ${Fido2Flags}" ` -DCMAKE_INSTALL_PREFIX="${PREFIX}" "${CMAKE_SYSTEM_VERSION}"; ` @@ -230,7 +231,7 @@ ExitOnError # Copy DLLs. if ("${SHARED}" -eq "ON") { - "cbor.dll", "crypto-49.dll", "zlib1.dll" | ` + "cbor.dll", "${CRYPTO_LIBRARIES}.dll", "zlib1.dll" | ` %{ Copy-Item "${PREFIX}\bin\$_" ` -Destination "examples\${Config}" } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/windows/const.ps1 new/libfido2-1.13.0/windows/const.ps1 --- old/libfido2-1.12.0/windows/const.ps1 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/windows/const.ps1 2023-02-20 09:21:28.000000000 +0100 @@ -1,4 +1,4 @@ -# Copyright (c) 2021 Yubico AB. All rights reserved. +# Copyright (c) 2021-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -7,17 +7,18 @@ New-Variable -Name 'LIBRESSL_URL' ` -Value 'https://fastly.cdn.openbsd.org/pub/OpenBSD/LibreSSL' ` -Option Constant -New-Variable -Name 'LIBRESSL' -Value 'libressl-3.5.3' -Option Constant +New-Variable -Name 'LIBRESSL' -Value 'libressl-3.6.2' -Option Constant +New-Variable -Name 'CRYPTO_LIBRARIES' -Value 'crypto-50' -Option Constant # libcbor coordinates. -New-Variable -Name 'LIBCBOR' -Value 'libcbor-0.9.0' -Option Constant -New-Variable -Name 'LIBCBOR_BRANCH' -Value 'v0.9.0' -Option Constant +New-Variable -Name 'LIBCBOR' -Value 'libcbor-0.10.1' -Option Constant +New-Variable -Name 'LIBCBOR_BRANCH' -Value 'v0.10.1' -Option Constant New-Variable -Name 'LIBCBOR_GIT' -Value 'https://github.com/pjk/libcbor' ` -Option Constant # zlib coordinates. -New-Variable -Name 'ZLIB' -Value 'zlib-1.2.12' -Option Constant -New-Variable -Name 'ZLIB_BRANCH' -Value 'v1.2.12' -Option Constant +New-Variable -Name 'ZLIB' -Value 'zlib-1.2.13' -Option Constant +New-Variable -Name 'ZLIB_BRANCH' -Value 'v1.2.13' -Option Constant New-Variable -Name 'ZLIB_GIT' -Value 'https://github.com/madler/zlib' ` -Option Constant diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libfido2-1.12.0/windows/release.ps1 new/libfido2-1.13.0/windows/release.ps1 --- old/libfido2-1.12.0/windows/release.ps1 2022-09-22 10:18:25.000000000 +0200 +++ new/libfido2-1.13.0/windows/release.ps1 2023-02-20 09:21:28.000000000 +0100 @@ -8,7 +8,6 @@ $InstallPrefixes = @('Win64', 'Win32', 'ARM64', 'ARM') $Types = @('dynamic', 'static') $Config = 'Release' -$LibCrypto = '49' $SDK = '143' . "$PSScriptRoot\const.ps1" @@ -36,8 +35,8 @@ Copy-Item "${SRC}\lib\cbor.lib" "${DEST}" Copy-Item "${SRC}\bin\zlib1.dll" "${DEST}" Copy-Item "${SRC}\lib\zlib1.lib" "${DEST}" - Copy-Item "${SRC}\bin\crypto-${LibCrypto}.dll" "${DEST}" - Copy-Item "${SRC}\lib\crypto-${LibCrypto}.lib" "${DEST}" + Copy-Item "${SRC}\bin\${CRYPTO_LIBRARIES}.dll" "${DEST}" + Copy-Item "${SRC}\lib\${CRYPTO_LIBRARIES}.lib" "${DEST}" Copy-Item "${SRC}\bin\fido2.dll" "${DEST}" Copy-Item "${SRC}\lib\fido2.lib" "${DEST}" } @@ -45,13 +44,13 @@ Function Package-Static(${SRC}, ${DEST}) { Copy-Item "${SRC}/lib/cbor.lib" "${DEST}" Copy-Item "${SRC}/lib/zlib1.lib" "${DEST}" - Copy-Item "${SRC}/lib/crypto-${LibCrypto}.lib" "${DEST}" + Copy-Item "${SRC}/lib/${CRYPTO_LIBRARIES}.lib" "${DEST}" Copy-Item "${SRC}/lib/fido2_static.lib" "${DEST}/fido2.lib" } Function Package-PDBs(${SRC}, ${DEST}) { Copy-Item "${SRC}\${LIBRESSL}\crypto\crypto_obj.dir\${Config}\crypto_obj.pdb" ` - "${DEST}\crypto-${LibCrypto}.pdb" + "${DEST}\${CRYPTO_LIBRARIES}.pdb" Copy-Item "${SRC}\${LIBCBOR}\src\cbor.dir\${Config}\vc${SDK}.pdb" ` "${DEST}\cbor.pdb" Copy-Item "${SRC}\${ZLIB}\zlib.dir\${Config}\vc${SDK}.pdb" ` @@ -62,7 +61,7 @@ Function Package-StaticPDBs(${SRC}, ${DEST}) { Copy-Item "${SRC}\${LIBRESSL}\crypto\crypto_obj.dir\${Config}\crypto_obj.pdb" ` - "${DEST}\crypto-${LibCrypto}.pdb" + "${DEST}\${CRYPTO_LIBRARIES}.pdb" Copy-Item "${SRC}\${LIBCBOR}\src\${Config}\cbor.pdb" ` "${DEST}\cbor.pdb" Copy-Item "${SRC}\${ZLIB}\${Config}\zlibstatic.pdb" `
