Merge tag 'tags/1.15.0'

release 1.15.0

Author: tgauth

.actions/build-bsd

@@ -15,7 +15,7 @@ cat > "${MANIFEST}" <<- EOF
 image: ${IMAGE}
 packages:
   - cmake
-  - llvm
+  - llvm${LLVM_VERSION:+%${LLVM_VERSION}}
   - pcsc-lite
 EOF
 
@@ -38,7 +38,7 @@ tasks:
       else
         SUDO=sudo
       fi
-      SCAN="/usr/local/bin/scan-build --use-cc=/usr/bin/cc --status-bugs"
+      SCAN="/usr/local/bin/scan-build${LLVM_VERSION:+-${LLVM_VERSION}} --use-cc=/usr/bin/cc --status-bugs"
       cd libfido2
       for T in Debug Release; do
         mkdir build-\$T

.actions/build-linux-i686-w64-mingw32-gcc

@@ -1,6 +1,6 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
 EOF
 
 # Build and install libcbor.
-git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.11.0
 cd libcbor
 mkdir build
 (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
@@ -42,7 +42,7 @@ sudo make install_sw
 cd ..
 
 # Build and install zlib.
-git clone --depth=1 https://github.com/madler/zlib -b v1.3
+git clone --depth=1 https://github.com/madler/zlib -b v1.3.1
 cd zlib
 make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
 sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \

.actions/build-linux-openssl3-clang

@@ -1,6 +1,6 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -12,8 +12,8 @@ FAKEROOT="$(mktemp -d)"
 # Check exports.
 (cd src && ./diff_exports.sh)
 
-# Build and install OpenSSL 3.0.12.
-git clone --branch openssl-3.0.12 \
+# Build and install OpenSSL 3.0.14.
+git clone --branch openssl-3.0.14 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \

.actions/build-linux-openssl3-gcc

@@ -1,15 +1,15 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
 
 ${CC} --version
 FAKEROOT="$(mktemp -d)"
 
-# Build and install OpenSSL 3.0.12.
-git clone --branch openssl-3.0.12 \
+# Build and install OpenSSL 3.0.14.
+git clone --branch openssl-3.0.14 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure linux-x86_64 --prefix="${FAKEROOT}" \

.actions/build-linux-openssl3-i686-w64-mingw32-gcc

@@ -1,6 +1,6 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
 EOF
 
 # Build and install libcbor.
-git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.11.0
 cd libcbor
 mkdir build
 (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
@@ -32,8 +32,8 @@ make -j"$(nproc)" -C build
 sudo make -C build install
 cd ..
 
-# Build and install OpenSSL 3.0.11.
-git clone --branch openssl-3.0.12 \
+# Build and install OpenSSL 3.0.14.
+git clone --branch openssl-3.0.14 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
@@ -43,7 +43,7 @@ sudo make install_sw
 cd ..
 
 # Build and install zlib.
-git clone --depth=1 https://github.com/madler/zlib -b v1.3
+git clone --depth=1 https://github.com/madler/zlib -b v1.3.1
 cd zlib
 make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
 sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \

.actions/fuzz-linux

@@ -1,18 +1,18 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2020-2022 Yubico AB. All rights reserved.
+# Copyright (c) 2020-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
 
 LIBCBOR_URL="https://github.com/pjk/libcbor"
-LIBCBOR_TAG="v0.10.2"
+LIBCBOR_TAG="v0.11.0"
 LIBCBOR_ASAN="address alignment bounds"
 LIBCBOR_MSAN="memory"
 OPENSSL_URL="https://github.com/openssl/openssl"
-OPENSSL_TAG="openssl-3.0.12"
+OPENSSL_TAG="openssl-3.0.14"
 ZLIB_URL="https://github.com/madler/zlib"
-ZLIB_TAG="v1.3"
+ZLIB_TAG="v1.3.1"
 ZLIB_ASAN="address alignment bounds undefined"
 ZLIB_MSAN="memory"
 FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak"
@@ -63,6 +63,7 @@ git clone --depth=1 "${OPENSSL_URL}" -b "${OPENSSL_TAG}"
 cd openssl
 ./Configure linux-x86_64-clang "enable-$1" --prefix="${FAKEROOT}" \
     --openssldir="${FAKEROOT}/openssl" --libdir=lib
+make -j"$(nproc)" build_sw
 make install_sw
 cd -
 
@@ -71,7 +72,7 @@ git clone --depth=1 "${ZLIB_URL}" -b "${ZLIB_TAG}"
 cd zlib
 CFLAGS="${ZLIB_CFLAGS}" LDFLAGS="${ZLIB_CFLAGS}" ./configure \
     --prefix="${FAKEROOT}"
-make install
+make -j"$(nproc)" install
 cd -
 
 # libfido2
@@ -87,7 +88,7 @@ mkdir corpus
 curl -s https://storage.googleapis.com/yubico-libfido2/corpus.tgz |
     tar -C corpus -zxf -
 export UBSAN_OPTIONS ASAN_OPTIONS MSAN_OPTIONS
-for f in assert bio cred credman hid largeblob mgmt netlink pcsc; do
+for f in assert attobj bio cred credman hid largeblob mgmt netlink pcsc; do
 	build/fuzz/fuzz_${f} -use_value_profile=1 -reload=30 -print_pcs=1 \
 	    -print_funcs=30 -timeout=10 -runs=1 corpus/fuzz_${f}
 done

.github/workflows/alpine_builds.yml

@@ -16,7 +16,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     container: alpine:latest
     strategy:
       fail-fast: false

.github/workflows/bsd_builds.yml

@@ -18,7 +18,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image: [freebsd/13.x, openbsd/7.2]
+        include:
+          - { image: freebsd/14.x }
+          - { image: openbsd/7.4, llvm_version: 16 }
     steps:
     - uses: actions/checkout@v4
     - name: dependencies
@@ -27,6 +29,7 @@ jobs:
         sudo apt install -q -y curl jq
     - name: build
       env:
+        LLVM_VERSION: ${{ matrix.llvm_version }}
         IMAGE: ${{ matrix.image }}
         SOURCEHUT_TOKEN: ${{ secrets.SOURCEHUT_TOKEN }}
       run: ./.actions/build-bsd

.github/workflows/cifuzz_oss.yml

@@ -17,7 +17,7 @@ on:
 jobs:
   fuzzing:
     if: github.repository == 'Yubico/libfido2'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:

.github/workflows/linux_builds.yml

@@ -26,10 +26,10 @@ jobs:
           - { os: ubuntu-22.04, cc: gcc-10 }
           - { os: ubuntu-22.04, cc: gcc-11 }
           - { os: ubuntu-22.04, cc: gcc-12 }
-          - { os: ubuntu-22.04, cc: clang-13 }
-          - { os: ubuntu-22.04, cc: clang-14 }
           - { os: ubuntu-22.04, cc: clang-15 }
           - { os: ubuntu-22.04, cc: clang-16 }
+          - { os: ubuntu-22.04, cc: clang-17 }
+          - { os: ubuntu-22.04, cc: clang-18 }
           - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-9 }
           - { os: ubuntu-22.04, cc: i686-w64-mingw32-gcc-10 }
     steps:

.github/workflows/linux_fuzz.yml

@@ -21,7 +21,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ ubuntu-22.04 ]
-        cc: [ clang-16 ]
+        cc: [ clang-18 ]
         sanitizer: [ asan, msan ]
     steps:
     - uses: actions/checkout@v4

.github/workflows/macos_builds.yml

@@ -20,11 +20,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ macos-13, macos-12 ]
+        os: [ macos-14, macos-13, macos-12 ]
         cc: [ clang ]
     steps:
     - uses: actions/checkout@v4
     - name: dependencies
+      env:
+        HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: 1
       run: brew install libcbor llvm mandoc openssl@3.0 pkg-config zlib
     - name: build
       env:

.github/workflows/openssl3.yml

@@ -22,9 +22,9 @@ jobs:
       matrix:
         include:
           - os: ubuntu-22.04
-            cc: gcc-11
+            cc: gcc-12
           - os: ubuntu-22.04
-            cc: clang-16
+            cc: clang-18
           - os: ubuntu-22.04
             cc: i686-w64-mingw32-gcc-10
     steps:

CMakeLists.txt

@@ -29,7 +29,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(CMAKE_COLOR_MAKEFILE OFF)
 set(CMAKE_VERBOSE_MAKEFILE ON)
 set(FIDO_MAJOR "1")
-set(FIDO_MINOR "14")
+set(FIDO_MINOR "15")
 set(FIDO_PATCH "0")
 set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
 
@@ -487,7 +487,7 @@ endif()
 if(BUILD_TOOLS)
 	add_subdirectory(tools)
 endif()
-if(BUILD_MANPAGES)
+if(BUILD_MANPAGES AND NOT MSVC)
 	add_subdirectory(man)
 endif()
 

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2018-2023 Yubico AB. All rights reserved.
+Copyright (c) 2018-2024 Yubico AB. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are

NEWS

@@ -1,12 +1,24 @@
+* Version 1.15.0 (2024-06-13)
+ ** 1.15.0 will be the last release to support OpenSSL 1.1.
+ ** bio, credman: improved CTAP 2.1 support.
+ ** hid_osx: fix issue where fido_hid_read() may block unnecessarily; gh#757.
+ ** fido2-token -I: print maxcredbloblen.
+ ** hid_linux: improved support for uhid devices.
+ ** New API calls:
+  - fido_cred_set_attobj;
+  - fido_cred_x5c_list_count;
+  - fido_cred_x5c_list_len;
+  - fido_cred_x5c_list_ptr.
+
 * Version 1.14.0 (2023-11-13)
  ** fido2-cred -M, fido2-token -G: support raw client data via -w flag.
  ** winhello: support U2F AppID extension for assertions.
  ** winhello: fix restrictive parsing of the hmac-secret on assertions.
  ** winhello: translate NTE_USER_CANCELLED to FIDO_ERR_OPERATION_DENIED; gh#685.
  ** New API calls:
-    ** fido_assert_authdata_raw_len;
-    ** fido_assert_authdata_raw_ptr;
-    ** fido_assert_set_winhello_appid.
+  - fido_assert_authdata_raw_len;
+  - fido_assert_authdata_raw_ptr;
+  - fido_assert_set_winhello_appid.
 
 * Version 1.13.0 (2023-02-20)
  ** Support for linking against OpenSSL on Windows; gh#668.

README.adoc

@@ -38,7 +38,7 @@ is also available.
 
 === Releases
 
-The current release of *libfido2* is 1.14.0. Signed release tarballs are
+The current release of *libfido2* is 1.15.0. Signed release tarballs are
 available at Yubico's
 https://developers.yubico.com/libfido2/Releases[release page].
 

SECURITY.md

@@ -2,4 +2,4 @@
 
 To report security issues in libfido2, please contact security@yubico.com.
 A PGP public key can be found at
-https://www.yubico.com/support/security-advisories/issue-rating-system/.
+https://www.yubico.com/support/issue-rating-system/.

fuzz/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright (c) 2019-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2019-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -80,3 +80,10 @@ set_target_properties(fuzz_pcsc PROPERTIES
 	LINK_FLAGS ${FUZZ_LDFLAGS}
 	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_pcsc fido2_shared)
+
+# fuzz_attobj
+add_executable(fuzz_attobj fuzz_attobj.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
+set_target_properties(fuzz_attobj PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
+target_link_libraries(fuzz_attobj fido2_shared)

fuzz/Dockerfile

@@ -10,7 +10,7 @@ RUN apk -q update
 RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils
 RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev
 RUN apk add sudo tar zlib-dev
-RUN git clone --branch v0.10.2 --depth=1 https://github.com/PJK/libcbor
+RUN git clone --branch v0.11.0 --depth=1 https://github.com/PJK/libcbor
 RUN git clone --depth=1 https://github.com/yubico/libfido2
 WORKDIR /libfido2
 RUN ./fuzz/build-coverage /libcbor /libfido2

fuzz/Makefile

@@ -3,12 +3,12 @@
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
 
-IMAGE		:= libfido2-coverage:1.14.0
+IMAGE		:= libfido2-coverage:1.15.0
 RUNNER		:= libfido2-runner
 PROFDATA	:= llvm-profdata
 COV		:= llvm-cov
-TARGETS		:= fuzz_assert fuzz_bio fuzz_cred fuzz_credman fuzz_hid \
-		   fuzz_largeblob fuzz_netlink fuzz_mgmt fuzz_pcsc
+TARGETS		:= fuzz_assert fuzz_attobj fuzz_bio fuzz_cred fuzz_credman \
+		   fuzz_hid fuzz_largeblob fuzz_netlink fuzz_mgmt fuzz_pcsc
 CORPORA		:= $(foreach f,${TARGETS},${f}/corpus)
 MINIFY		:= $(foreach f,${TARGETS},/minify/${f}/corpus)
 REMOTE		:= gs://libfido2-corpus.clusterfuzz-external.appspot.com

fuzz/export.gnu

@@ -166,6 +166,7 @@
 		fido_cred_rp_id;
 		fido_cred_rp_name;
 		fido_cred_set_attstmt;
+		fido_cred_set_attobj;
 		fido_cred_set_authdata;
 		fido_cred_set_authdata_raw;
 		fido_cred_set_blob;
@@ -193,6 +194,9 @@
 		fido_cred_verify;
 		fido_cred_verify_self;
 		fido_cred_x5c_len;
+		fido_cred_x5c_list_count;
+		fido_cred_x5c_list_len;
+		fido_cred_x5c_list_ptr;
 		fido_cred_x5c_ptr;
 		fido_dev_build;
 		fido_dev_cancel;