Merge tag 'tags/1.14.0'

release 1.14.0

# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQSzcAP/FaBopBPlCxw9aknkxOC2cwUCZVHOGQAKCRA9aknkxOC2
# c/MaAP9IG8kaa7mImcO0q+FLGZwDoYu48ttqSJIhDJ9vJihBOQEA1jEMN3DwnlzV
# Uik5dW4oL30hFqlfdbDQ+Xi7ZzsiVww=
# =sMTA
# -----END PGP SIGNATURE-----
# gpg: directory '/c/Users/tessgauthier/.gnupg' created
# gpg: keybox '/c/Users/tessgauthier/.gnupg/pubring.kbx' created
# gpg: Signature made Mon Nov 13 02:19:53 2023 EST
# gpg:                using EDDSA key B37003FF15A068A413E50B1C3D6A49E4C4E0B673
# gpg: Can't check signature: No public key

Author: tgauth

.actions/build-linux-i686-w64-mingw32-gcc

@@ -32,8 +32,8 @@ make -j"$(nproc)" -C build
 sudo make -C build install
 cd ..
 
-# Build and install OpenSSL 1.1.1t.
-git clone --depth=1 https://github.com/openssl/openssl -b OpenSSL_1_1_1t
+# Build and install OpenSSL 1.1.1w.
+git clone --depth=1 https://github.com/openssl/openssl -b OpenSSL_1_1_1w
 cd openssl
 ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
 	--cross-compile-prefix=i686-w64-mingw32-
@@ -42,7 +42,7 @@ sudo make install_sw
 cd ..
 
 # Build and install zlib.
-git clone --depth=1 https://github.com/madler/zlib -b v1.2.13
+git clone --depth=1 https://github.com/madler/zlib -b v1.3
 cd zlib
 make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
 sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \

.actions/build-linux-openssl3-clang

@@ -12,8 +12,8 @@ FAKEROOT="$(mktemp -d)"
 # Check exports.
 (cd src && ./diff_exports.sh)
 
-# Build and install OpenSSL 3.0.8.
-git clone --branch openssl-3.0.8 \
+# Build and install OpenSSL 3.0.12.
+git clone --branch openssl-3.0.12 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \

.actions/build-linux-openssl3-gcc

@@ -8,8 +8,8 @@
 ${CC} --version
 FAKEROOT="$(mktemp -d)"
 
-# Build and install OpenSSL 3.0.8.
-git clone --branch openssl-3.0.8 \
+# Build and install OpenSSL 3.0.12.
+git clone --branch openssl-3.0.12 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure linux-x86_64 --prefix="${FAKEROOT}" \

.actions/build-linux-openssl3-i686-w64-mingw32-gcc

@@ -32,8 +32,8 @@ make -j"$(nproc)" -C build
 sudo make -C build install
 cd ..
 
-# Build and install OpenSSL 3.0.8.
-git clone --branch openssl-3.0.8 \
+# Build and install OpenSSL 3.0.11.
+git clone --branch openssl-3.0.12 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
@@ -43,7 +43,7 @@ sudo make install_sw
 cd ..
 
 # Build and install zlib.
-git clone --depth=1 https://github.com/madler/zlib -b v1.2.13
+git clone --depth=1 https://github.com/madler/zlib -b v1.3
 cd zlib
 make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32-
 sudo make -fwin32/Makefile.gcc PREFIX=i686-w64-mingw32- DESTDIR=/fakeroot \

.actions/build-osx-clang

@@ -5,7 +5,7 @@
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
 
-export PKG_CONFIG_PATH="$(brew --prefix openssl@1.1)/lib/pkgconfig"
+export PKG_CONFIG_PATH="$(brew --prefix openssl@3.0)/lib/pkgconfig"
 SCAN="$(brew --prefix llvm)/bin/scan-build"
 
 # Build, analyze, and install libfido2.

.actions/fuzz-linux

@@ -6,13 +6,13 @@
 # SPDX-License-Identifier: BSD-2-Clause
 
 LIBCBOR_URL="https://github.com/pjk/libcbor"
-LIBCBOR_TAG="v0.10.1"
+LIBCBOR_TAG="v0.10.2"
 LIBCBOR_ASAN="address alignment bounds"
 LIBCBOR_MSAN="memory"
 OPENSSL_URL="https://github.com/openssl/openssl"
-OPENSSL_TAG="OpenSSL_1_1_1t"
+OPENSSL_TAG="openssl-3.0.12"
 ZLIB_URL="https://github.com/madler/zlib"
-ZLIB_TAG="v1.2.13"
+ZLIB_TAG="v1.3"
 ZLIB_ASAN="address alignment bounds undefined"
 ZLIB_MSAN="memory"
 FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak"
@@ -62,7 +62,7 @@ cd -
 git clone --depth=1 "${OPENSSL_URL}" -b "${OPENSSL_TAG}"
 cd openssl
 ./Configure linux-x86_64-clang "enable-$1" --prefix="${FAKEROOT}" \
-    --openssldir="${FAKEROOT}/openssl"
+    --openssldir="${FAKEROOT}/openssl" --libdir=lib
 make install_sw
 cd -
 

.github/workflows/alpine_builds.yml

@@ -32,7 +32,7 @@ jobs:
     - name: fix permissions on workdir
       run: chown root:wheel "${GITHUB_WORKSPACE}"
     - name: checkout libfido2
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - name: build libfido2
       env:
         CC: ${{ matrix.cc }}

.github/workflows/bsd_builds.yml

@@ -20,7 +20,7 @@ jobs:
       matrix:
         image: [freebsd/13.x, openbsd/7.2]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: dependencies
       run: |
         sudo apt -q update

.github/workflows/cifuzz_oss.yml

@@ -39,7 +39,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: upload crash
-      uses: actions/upload-artifact@v1
+      uses: actions/upload-artifact@v3
       if: failure()
       with:
         name: ${{ matrix.sanitizer }}-artifacts

.github/workflows/codeql-analysis.yml

@@ -16,13 +16,16 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  security-events: write
+
 jobs:
   codeql-build:
     if: github.repository == 'Yubico/libfido2'
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         fetch-depth: 2
     - name: init codeql

.github/workflows/cygwin_builds.yml

@@ -24,7 +24,7 @@ jobs:
         arch: [ x64 ]
         config: [ "Debug", "Release" ]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: build
       run: |
         .\windows\cygwin.ps1 -Config ${{ matrix.config }}

.github/workflows/linux_builds.yml

@@ -26,14 +26,14 @@ jobs:
           - { os: ubuntu-22.04, cc: gcc-10 }
           - { os: ubuntu-22.04, cc: gcc-11 }
           - { os: ubuntu-22.04, cc: gcc-12 }
-          - { os: ubuntu-20.04, cc: clang-12 }
           - { os: ubuntu-22.04, cc: clang-13 }
           - { os: ubuntu-22.04, cc: clang-14 }
           - { os: ubuntu-22.04, cc: clang-15 }
+          - { os: ubuntu-22.04, cc: clang-16 }
           - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-9 }
           - { os: ubuntu-22.04, cc: i686-w64-mingw32-gcc-10 }
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: dependencies
       run: |
         sudo apt -q update

.github/workflows/linux_fuzz.yml

@@ -21,10 +21,10 @@ jobs:
       fail-fast: false
       matrix:
         os: [ ubuntu-22.04 ]
-        cc: [ clang-15 ]
+        cc: [ clang-16 ]
         sanitizer: [ asan, msan ]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: dependencies
       run: |
         sudo apt -q update

.github/workflows/macos_builds.yml

@@ -20,12 +20,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ macos-12, macos-11 ]
+        os: [ macos-13, macos-12 ]
         cc: [ clang ]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: dependencies
-      run: brew install libcbor llvm mandoc pkg-config zlib
+      run: brew install libcbor llvm mandoc openssl@3.0 pkg-config zlib
     - name: build
       env:
         CC: ${{ matrix.cc }}

.github/workflows/openssl3.yml

@@ -24,11 +24,11 @@ jobs:
           - os: ubuntu-22.04
             cc: gcc-11
           - os: ubuntu-22.04
-            cc: clang-15
+            cc: clang-16
           - os: ubuntu-22.04
             cc: i686-w64-mingw32-gcc-10
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: dependencies
       env:
         CC: ${{ matrix.cc }}

.github/workflows/windows_builds.yml

@@ -25,7 +25,7 @@ jobs:
         type: [ dynamic, static ]
         config: [ "Release" ]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: build
       run: |
         .\windows\build.ps1 -Fido2Flags '/analyze' -Arch ${{ matrix.arch }} `

CMakeLists.txt

@@ -2,12 +2,12 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
+cmake_minimum_required(VERSION 3.7)
 
 # detect AppleClang; needs to come before project()
 cmake_policy(SET CMP0025 NEW)
 
 project(libfido2 C)
-cmake_minimum_required(VERSION 3.0)
 # Set PIE flags for POSITION_INDEPENDENT_CODE targets, added in CMake 3.14.
 if(POLICY CMP0083)
 	cmake_policy(SET CMP0083 NEW)
@@ -29,7 +29,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(CMAKE_COLOR_MAKEFILE OFF)
 set(CMAKE_VERBOSE_MAKEFILE ON)
 set(FIDO_MAJOR "1")
-set(FIDO_MINOR "13")
+set(FIDO_MINOR "14")
 set(FIDO_PATCH "0")
 set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
 

NEWS

@@ -1,3 +1,13 @@
+* Version 1.14.0 (2023-11-13)
+ ** fido2-cred -M, fido2-token -G: support raw client data via -w flag.
+ ** winhello: support U2F AppID extension for assertions.
+ ** winhello: fix restrictive parsing of the hmac-secret on assertions.
+ ** winhello: translate NTE_USER_CANCELLED to FIDO_ERR_OPERATION_DENIED; gh#685.
+ ** New API calls:
+    ** fido_assert_authdata_raw_len;
+    ** fido_assert_authdata_raw_ptr;
+    ** fido_assert_set_winhello_appid.
+
 * Version 1.13.0 (2023-02-20)
  ** Support for linking against OpenSSL on Windows; gh#668.
  ** New API calls:

README.adoc

@@ -38,7 +38,7 @@ is also available.
 
 === Releases
 
-The current release of *libfido2* is 1.13.0. Signed release tarballs are
+The current release of *libfido2* is 1.14.0. Signed release tarballs are
 available at Yubico's
 https://developers.yubico.com/libfido2/Releases[release page].
 

examples/README.adoc

@@ -48,7 +48,7 @@ The following examples are provided:
 	the device's PIN is changed from [oldpin] to <pin>.
 
 - cred [-t es256|es384|rs256|eddsa] [-k pubkey] [-ei cred_id] [-P pin]
-       [-T seconds] [-b blobkey] [-hruv] <device>
+       [-T seconds] [-b blobkey] [-hruv] [-c cred_protect] <device>
 
 	Creates a new credential on <device> and verify that the credential
 	was signed by the authenticator. The device's attestation certificate
@@ -63,7 +63,8 @@ The following examples are provided:
 	is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands.
 	The -T option may be used to enforce a timeout of <seconds>. If the
 	option -b is specified, the credential's "largeBlob" key is stored in
-	<blobkey>.
+	<blobkey>. If the option -c is specified the the generated credential
+	will be bound by the specified protection policy.
 
 - assert [-t es256|es384|rs256|eddsa] [-a cred_id] [-h hmac_secret] [-P pin]
          [-s hmac_salt] [-T seconds] [-b blobkey] [-puv] <pubkey> <device>

examples/cred.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
+ * Copyright (c) 2018-2023 Yubico AB. All rights reserved.
  * Use of this source code is governed by a BSD-style
  * license that can be found in the LICENSE file.
  * SPDX-License-Identifier: BSD-2-Clause
@@ -36,15 +36,16 @@ static void
 usage(void)
 {
 	fprintf(stderr, "usage: cred [-t es256|es384|rs256|eddsa] [-k pubkey] "
-	    "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-hruv] "
+	    "[-ei cred_id] [-P pin] [-T seconds] [-b blobkey] [-c cred_protect] [-hruv] "
 	    "<device>\n");
 	exit(EXIT_FAILURE);
 }
 
 static void
 verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr,
     size_t authdata_len, const unsigned char *attstmt_ptr, size_t attstmt_len,
-    bool rk, bool uv, int ext, const char *key_out, const char *id_out)
+    bool rk, bool uv, int ext, int cred_protect, const char *key_out,
+    const char *id_out)
 {
 	fido_cred_t	*cred;
 	int		 r;
@@ -85,6 +86,11 @@ verify_cred(int type, const char *fmt, const unsigned char *authdata_ptr,
 	if (uv && (r = fido_cred_set_uv(cred, FIDO_OPT_TRUE)) != FIDO_OK)
 		errx(1, "fido_cred_set_uv: %s (0x%x)", fido_strerr(r), r);
 
+	/* credProt */
+	if (cred_protect != 0 && (r = fido_cred_set_prot(cred,
+	    cred_protect)) != FIDO_OK)
+		errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r);
+
 	/* fmt */
 	r = fido_cred_set_fmt(cred, fmt);
 	if (r != FIDO_OK)
@@ -159,11 +165,12 @@ main(int argc, char **argv)
 	int		 ext = 0;
 	int		 ch;
 	int		 r;
+	long long cred_protect = 0;
 
 	if ((cred = fido_cred_new()) == NULL)
 		errx(1, "fido_cred_new");
 
-	while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uv")) != -1) {
+	while ((ch = getopt(argc, argv, "P:T:b:e:hi:k:rt:uvc:")) != -1) {
 		switch (ch) {
 		case 'P':
 			pin = optarg;
@@ -192,6 +199,13 @@ main(int argc, char **argv)
 		case 'h':
 			ext |= FIDO_EXT_HMAC_SECRET;
 			break;
+		case 'c':
+			if (base10(optarg, &cred_protect) < 0)
+				errx(1, "base10: %s", optarg);
+			if (cred_protect <= 0 || cred_protect > 3)
+				errx(1, "-c: %s must be in (1,3)", optarg);
+			ext |= FIDO_EXT_CRED_PROTECT;
+			break;
 		case 'i':
 			id_out = optarg;
 			break;
@@ -275,6 +289,11 @@ main(int argc, char **argv)
 	if (uv && (r = fido_cred_set_uv(cred, FIDO_OPT_TRUE)) != FIDO_OK)
 		errx(1, "fido_cred_set_uv: %s (0x%x)", fido_strerr(r), r);
 
+	/* credProt */
+	if (cred_protect != 0 && (r = fido_cred_set_prot(cred,
+	    (int)cred_protect)) != FIDO_OK)
+		errx(1, "fido_cred_set_prot: %s (0x%x)", fido_strerr(r), r);
+	
 	/* timeout */
 	if (ms != 0 && (r = fido_dev_set_timeout(dev, (int)ms)) != FIDO_OK)
 		errx(1, "fido_dev_set_timeout: %s (0x%x)", fido_strerr(r), r);
@@ -296,7 +315,8 @@ main(int argc, char **argv)
 
 	verify_cred(type, fido_cred_fmt(cred), fido_cred_authdata_ptr(cred),
 	    fido_cred_authdata_len(cred), fido_cred_attstmt_ptr(cred),
-	    fido_cred_attstmt_len(cred), rk, uv, ext, key_out, id_out);
+	    fido_cred_attstmt_len(cred), rk, uv, ext, fido_cred_prot(cred),
+	    key_out, id_out);
 
 	if (blobkey_out != NULL) {
 		/* extract the "largeBlob" key */

fuzz/Dockerfile

@@ -10,7 +10,7 @@ RUN apk -q update
 RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils
 RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev
 RUN apk add sudo tar zlib-dev
-RUN git clone --branch v0.10.1 --depth=1 https://github.com/PJK/libcbor
+RUN git clone --branch v0.10.2 --depth=1 https://github.com/PJK/libcbor
 RUN git clone --depth=1 https://github.com/yubico/libfido2
 WORKDIR /libfido2
 RUN ./fuzz/build-coverage /libcbor /libfido2

fuzz/Makefile

@@ -3,7 +3,7 @@
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
 
-IMAGE		:= libfido2-coverage:1.13.1
+IMAGE		:= libfido2-coverage:1.14.0
 RUNNER		:= libfido2-runner
 PROFDATA	:= llvm-profdata
 COV		:= llvm-cov

fuzz/export.gnu

@@ -20,6 +20,8 @@
 		fido_assert_allow_cred;
 		fido_assert_authdata_len;
 		fido_assert_authdata_ptr;
+		fido_assert_authdata_raw_len;
+		fido_assert_authdata_raw_ptr;
 		fido_assert_blob_len;
 		fido_assert_blob_ptr;
 		fido_assert_clientdata_hash_len;