diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2023-04-26 16:40:46 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2023-04-26 16:40:46 +0000 |
| commit | 00db45a65823dc224f3630bc8185e789064fef6a (patch) | |
| tree | 67a107b082e8087b8c2d31867642ec8267165c29 | |
| parent | fdfa06d7d381e83be6a8c5e39a5bd7af714ac656 (diff) | |
Vendor import of libfido2 0.13.0vendor/libfido2/1.13.0
38 files changed, 265 insertions, 155 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index dc31cc0d4806..6fa341a01cc6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -29,17 +29,17 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) set(CMAKE_COLOR_MAKEFILE OFF) set(CMAKE_VERBOSE_MAKEFILE ON) set(FIDO_MAJOR "1") -set(FIDO_MINOR "12") +set(FIDO_MINOR "13") set(FIDO_PATCH "0") set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH}) +option(BUILD_TESTS "Build the regress tests" ON) option(BUILD_EXAMPLES "Build example programs" ON) option(BUILD_MANPAGES "Build man pages" ON) option(BUILD_SHARED_LIBS "Build a shared library" ON) option(BUILD_STATIC_LIBS "Build a static library" ON) option(BUILD_TOOLS "Build tool programs" ON) option(FUZZ "Enable fuzzing instrumentation" OFF) -option(LIBFUZZER "Build libfuzzer harnesses" OFF) option(USE_HIDAPI "Use hidapi as the HID backend" OFF) option(USE_PCSC "Enable experimental PCSC support" OFF) option(USE_WINHELLO "Abstract Windows Hello as a FIDO device" ON) @@ -49,6 +49,14 @@ add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR}) add_definitions(-D_FIDO_MINOR=${FIDO_MINOR}) add_definitions(-D_FIDO_PATCH=${FIDO_PATCH}) +if(BUILD_SHARED_LIBS) + set(_FIDO2_LIBRARY fido2_shared) +elseif(BUILD_STATIC_LIBS) + set(_FIDO2_LIBRARY fido2) +else() + message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)") +endif() + if(CYGWIN OR MSYS OR MINGW) set(WIN32 1) endif() @@ -151,7 +159,7 @@ foreach(v ${CHECK_VARIABLES}) endif() endforeach() -if(HAVE_EXPLICIT_BZERO AND NOT LIBFUZZER) +if(HAVE_EXPLICIT_BZERO AND NOT FUZZ) add_definitions(-DHAVE_EXPLICIT_BZERO) endif() @@ -159,19 +167,30 @@ if(UNIX) add_definitions(-DHAVE_DEV_URANDOM) endif() + if(MSVC) if((NOT CBOR_INCLUDE_DIRS) OR (NOT CBOR_LIBRARY_DIRS) OR - (NOT CBOR_BIN_DIRS) OR (NOT CRYPTO_INCLUDE_DIRS) OR - (NOT CRYPTO_LIBRARY_DIRS) OR (NOT CRYPTO_BIN_DIRS) OR - (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS) OR - (NOT ZLIB_BIN_DIRS)) + (NOT CRYPTO_INCLUDE_DIRS) OR (NOT CRYPTO_LIBRARY_DIRS) OR + (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS)) message(FATAL_ERROR "please define " - "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY,BIN}_DIRS when " + "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY}_DIRS when " "building under msvc") endif() - set(CBOR_LIBRARIES cbor) - set(ZLIB_LIBRARIES zlib1) - set(CRYPTO_LIBRARIES crypto-49) + if(BUILD_TESTS AND BUILD_SHARED_LIBS AND + ((NOT CBOR_BIN_DIRS) OR (NOT ZLIB_BIN_DIRS) OR (NOT CRYPTO_BIN_DIRS))) + message(FATAL_ERROR "please define {CBOR,CRYPTO,ZLIB}_BIN_DIRS " + "when building tests") + endif() + if(NOT CBOR_LIBRARIES) + set(CBOR_LIBRARIES cbor) + endif() + if(NOT ZLIB_LIBRARIES) + set(ZLIB_LIBRARIES zlib1) + endif() + if(NOT CRYPTO_LIBRARIES) + set(CRYPTO_LIBRARIES crypto) + endif() + set(MSVC_DISABLED_WARNINGS_LIST "C4152" # nonstandard extension used: function/data pointer # conversion in expression; @@ -213,8 +232,12 @@ else() message(FATAL_ERROR "could not find zlib") endif() - set(CBOR_LIBRARIES "cbor") - set(CRYPTO_LIBRARIES "crypto") + if(NOT CBOR_LIBRARIES) + set(CBOR_LIBRARIES "cbor") + endif() + if(NOT CRYPTO_LIBRARIES) + set(CRYPTO_LIBRARIES "crypto") + endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") pkg_search_module(UDEV libudev REQUIRED) @@ -305,9 +328,7 @@ else() add_definitions(-DOPENSSL_API_COMPAT=0x10100000L) endif() - if(LIBFUZZER) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link") - else() + if(NOT FUZZ) set(EXTRA_CFLAGS "${EXTRA_CFLAGS} -Wframe-larger-than=2047") endif() endif() @@ -391,6 +412,9 @@ message(STATUS "BUILD_TOOLS: ${BUILD_TOOLS}") message(STATUS "CBOR_INCLUDE_DIRS: ${CBOR_INCLUDE_DIRS}") message(STATUS "CBOR_LIBRARIES: ${CBOR_LIBRARIES}") message(STATUS "CBOR_LIBRARY_DIRS: ${CBOR_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "CBOR_BIN_DIRS: ${CBOR_BIN_DIRS}") +endif() message(STATUS "CBOR_VERSION: ${CBOR_VERSION}") message(STATUS "CMAKE_BUILD_TYPE: ${CMAKE_BUILD_TYPE}") message(STATUS "CMAKE_C_COMPILER: ${CMAKE_C_COMPILER}") @@ -408,12 +432,21 @@ message(STATUS "CMAKE_SYSTEM_VERSION: ${CMAKE_SYSTEM_VERSION}") message(STATUS "CRYPTO_INCLUDE_DIRS: ${CRYPTO_INCLUDE_DIRS}") message(STATUS "CRYPTO_LIBRARIES: ${CRYPTO_LIBRARIES}") message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "CRYPTO_BIN_DIRS: ${CRYPTO_BIN_DIRS}") +endif() message(STATUS "CRYPTO_VERSION: ${CRYPTO_VERSION}") message(STATUS "FIDO_VERSION: ${FIDO_VERSION}") message(STATUS "FUZZ: ${FUZZ}") +if(FUZZ) + message(STATUS "FUZZ_LDFLAGS: ${FUZZ_LDFLAGS}") +endif() message(STATUS "ZLIB_INCLUDE_DIRS: ${ZLIB_INCLUDE_DIRS}") message(STATUS "ZLIB_LIBRARIES: ${ZLIB_LIBRARIES}") message(STATUS "ZLIB_LIBRARY_DIRS: ${ZLIB_LIBRARY_DIRS}") +if(BUILD_TESTS) + message(STATUS "ZLIB_BIN_DIRS: ${ZLIB_BIN_DIRS}") +endif() message(STATUS "ZLIB_VERSION: ${ZLIB_VERSION}") if(USE_HIDAPI) message(STATUS "HIDAPI_INCLUDE_DIRS: ${HIDAPI_INCLUDE_DIRS}") @@ -425,7 +458,6 @@ message(STATUS "PCSC_INCLUDE_DIRS: ${PCSC_INCLUDE_DIRS}") message(STATUS "PCSC_LIBRARIES: ${PCSC_LIBRARIES}") message(STATUS "PCSC_LIBRARY_DIRS: ${PCSC_LIBRARY_DIRS}") message(STATUS "PCSC_VERSION: ${PCSC_VERSION}") -message(STATUS "LIBFUZZER: ${LIBFUZZER}") message(STATUS "TLS: ${TLS}") message(STATUS "UDEV_INCLUDE_DIRS: ${UDEV_INCLUDE_DIRS}") message(STATUS "UDEV_LIBRARIES: ${UDEV_LIBRARIES}") @@ -437,33 +469,30 @@ message(STATUS "USE_PCSC: ${USE_PCSC}") message(STATUS "USE_WINHELLO: ${USE_WINHELLO}") message(STATUS "NFC_LINUX: ${NFC_LINUX}") -if(BUILD_SHARED_LIBS) - set(_FIDO2_LIBRARY fido2_shared) -elseif(BUILD_STATIC_LIBS) - set(_FIDO2_LIBRARY fido2) -else() - message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)") +if(BUILD_TESTS) + enable_testing() endif() -enable_testing() +add_subdirectory(src) -subdirs(src) -subdirs(regress) +if(BUILD_TESTS) + add_subdirectory(regress) +endif() if(BUILD_EXAMPLES) - subdirs(examples) + add_subdirectory(examples) endif() if(BUILD_TOOLS) - subdirs(tools) + add_subdirectory(tools) endif() if(BUILD_MANPAGES) - subdirs(man) + add_subdirectory(man) endif() if(NOT WIN32) if(FUZZ) - subdirs(fuzz) + add_subdirectory(fuzz) endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") - subdirs(udev) + add_subdirectory(udev) endif() endif() @@ -1,4 +1,4 @@ -Copyright (c) 2018-2022 Yubico AB. All rights reserved. +Copyright (c) 2018-2023 Yubico AB. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -1,3 +1,11 @@ +* Version 1.13.0 (2023-02-20) + ** Support for linking against OpenSSL on Windows; gh#668. + ** New API calls: + - fido_assert_empty_allow_list; + - fido_cred_empty_exclude_list. + ** fido2-token: fix issue when listing large blobs. + ** Improved support for different fuzzing engines. + * Version 1.12.0 (2022-09-22) ** Support for COSE_ES384. ** Support for hidraw(4) on FreeBSD; gh#597. diff --git a/README.adoc b/README.adoc index 6d6a96eb1712..44d559894dac 100644 --- a/README.adoc +++ b/README.adoc @@ -38,7 +38,7 @@ is also available. === Releases -The current release of *libfido2* is 1.12.0. Signed release tarballs are +The current release of *libfido2* is 1.13.0. Signed release tarballs are available at Yubico's https://developers.yubico.com/libfido2/Releases[release page]. @@ -119,7 +119,6 @@ officially supported. | BUILD_STATIC_LIBS | Build a static library | ON | BUILD_TOOLS | Build auxiliary tools | ON | FUZZ | Enable fuzzing instrumentation | OFF -| LIBFUZZER | Build libfuzzer harnesses | OFF | NFC_LINUX | Enable netlink NFC support on Linux | ON | USE_HIDAPI | Use hidapi as the HID backend | OFF | USE_PCSC | Enable experimental PCSC support | OFF diff --git a/examples/README.adoc b/examples/README.adoc index 6853757acad1..d44218c2cf87 100644 --- a/examples/README.adoc +++ b/examples/README.adoc @@ -20,8 +20,7 @@ The following definitions are used in the description below: - <pubkey> - The file system path of a file containing a NIST P-256 public key in - PEM format. + The file system path of a file containing a public key in PEM format. - <blobkey> @@ -72,8 +71,10 @@ The following examples are provided: Asks <device> for a FIDO2 assertion corresponding to [cred_id], which may be omitted for resident keys. The obtained assertion is verified using <pubkey>. The -p option requests that the user - be present. User verification may be requested through the -v - option. If option -u is specified, the assertion is generated using + be present and checks whether the user presence bit was signed by the + authenticator. The -v option requests user verification and checks + whether the user verification bit was signed by the authenticator. + If option -u is specified, the assertion is generated using U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is specified, a FIDO2 hmac-secret is requested from the authenticator, and the contents of <hmac_salt> are used as the salt. If option -h diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt index 52355c1ab6b0..cc30baae88f2 100644 --- a/fuzz/CMakeLists.txt +++ b/fuzz/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Yubico AB. All rights reserved. +# Copyright (c) 2019-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -13,58 +13,70 @@ list(APPEND COMMON_SOURCES mutator_aux.c ) -set(FUZZ_LDFLAGS "-fsanitize=fuzzer") +# XXX: OSS-Fuzz require linking using CXX +set(FUZZ_LINKER_LANGUAGE "C" CACHE STRING "Linker language for fuzz harnesses") +mark_as_advanced(FUZZ_LINKER_LANGUAGE) +enable_language(${FUZZ_LINKER_LANGUAGE}) # fuzz_cred add_executable(fuzz_cred fuzz_cred.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_cred PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_cred PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_cred PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_cred fido2_shared) # fuzz_assert add_executable(fuzz_assert fuzz_assert.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_assert PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_assert PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_assert PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_assert fido2_shared) # fuzz_mgmt add_executable(fuzz_mgmt fuzz_mgmt.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_mgmt PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_mgmt PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_mgmt PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_mgmt fido2_shared) # fuzz_credman add_executable(fuzz_credman fuzz_credman.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_credman PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_credman PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_credman PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_credman fido2_shared) # fuzz_bio add_executable(fuzz_bio fuzz_bio.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_bio PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_bio PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_bio PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_bio fido2_shared) # fuzz_hid add_executable(fuzz_hid fuzz_hid.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_hid PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_hid PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_hid PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_hid fido2_shared) # fuzz_netlink add_executable(fuzz_netlink fuzz_netlink.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_netlink PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_netlink PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_netlink PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_netlink fido2_shared) # fuzz_largeblob add_executable(fuzz_largeblob fuzz_largeblob.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_largeblob PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_largeblob PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_largeblob PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_largeblob fido2_shared) # fuzz_pcsc add_executable(fuzz_pcsc fuzz_pcsc.c ${COMMON_SOURCES} ${COMPAT_SOURCES}) -target_compile_options(fuzz_pcsc PRIVATE ${FUZZ_LDFLAGS}) -set_target_properties(fuzz_pcsc PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS}) +set_target_properties(fuzz_pcsc PROPERTIES + LINK_FLAGS ${FUZZ_LDFLAGS} + LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE}) target_link_libraries(fuzz_pcsc fido2_shared) diff --git a/fuzz/Dockerfile b/fuzz/Dockerfile index 0c99f2c95aaf..9cda37589b44 100644 --- a/fuzz/Dockerfile +++ b/fuzz/Dockerfile @@ -1,4 +1,4 @@ -# Copyright (c) 2019-2022 Yubico AB. All rights reserved. +# Copyright (c) 2019-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -10,7 +10,7 @@ RUN apk -q update RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev RUN apk add sudo tar zlib-dev -RUN git clone --branch v0.9.0 --depth=1 https://github.com/PJK/libcbor +RUN git clone --branch v0.10.1 --depth=1 https://github.com/PJK/libcbor RUN git clone --depth=1 https://github.com/yubico/libfido2 WORKDIR /libfido2 RUN ./fuzz/build-coverage /libcbor /libfido2 diff --git a/fuzz/Makefile b/fuzz/Makefile index 857c89ee0742..0e6756f0ada1 100644 --- a/fuzz/Makefile +++ b/fuzz/Makefile @@ -1,9 +1,9 @@ -# Copyright (c) 2019-2022 Yubico AB. All rights reserved. +# Copyright (c) 2019-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause -IMAGE := libfido2-coverage:1.12.2 +IMAGE := libfido2-coverage:1.13.1 RUNNER := libfido2-runner PROFDATA := llvm-profdata COV := llvm-cov diff --git a/fuzz/README b/fuzz/README index 2e88db74975e..427625c6e714 100644 --- a/fuzz/README +++ b/fuzz/README @@ -8,7 +8,8 @@ use preload-fuzz.c to read device data from stdin. libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c, fuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these -harnesses, use -DFUZZ=ON -DLIBFUZZER=ON. +harnesses, use -DCMAKE_C_FLAGS=-fsanitize=fuzzer-no-link +-DFUZZ_LDFLAGS=-fsanitize=fuzzer -DFUZZ=ON. If -DFUZZ=ON is enabled, symbols listed in wrapped.sym are wrapped in the resulting shared object. The wrapper functions simulate failure according to a @@ -21,20 +22,22 @@ To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of libcbor and OpenSSL built with the respective sanitiser. In order to keep memory utilisation at a manageable level, you can either enforce limits at the OS level (e.g. cgroups on Linux), or patch libcbor with the diff below. +N.B., the patch below is relative to libcbor 0.10.1. diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c -index aa049a2..e294b38 100644 +index bbea63c..3f7c9af 100644 --- src/cbor/internal/memory_utils.c +++ src/cbor/internal/memory_utils.c -@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) { +@@ -41,7 +41,11 @@ size_t _cbor_safe_signaling_add(size_t a, size_t b) { void* _cbor_alloc_multiple(size_t item_size, size_t item_count) { if (_cbor_safe_to_multiply(item_size, item_count)) { -- return _CBOR_MALLOC(item_size * item_count); +- return _cbor_malloc(item_size * item_count); + if (item_count > 1000) { + return NULL; -+ } else -+ return _CBOR_MALLOC(item_size * item_count); ++ } else { ++ return _cbor_malloc(item_size * item_count); ++ } } else { return NULL; } diff --git a/fuzz/build-coverage b/fuzz/build-coverage index 8c989fc0cb6d..6cc5041a1db2 100755 --- a/fuzz/build-coverage +++ b/fuzz/build-coverage @@ -26,7 +26,9 @@ make -C "${LIBCBOR}/build" VERBOSE=1 all install # Build libfido2. mkdir -p "${LIBFIDO2}/build" export CFLAGS="-fprofile-instr-generate -fcoverage-mapping" +export CFLAGS="${CFLAGS} -fsanitize=fuzzer-no-link" export LDFLAGS="${CFLAGS}" -(cd "${LIBFIDO2}/build" && cmake -DFUZZ=ON -DLIBFUZZER=ON \ - -DCMAKE_BUILD_TYPE=Debug ..) +export FUZZ_LDFLAGS="${LDFLAGS} -fsanitize=fuzzer" +(cd "${LIBFIDO2}/build" && cmake -DFUZZ=ON -DFUZZ_LDFLAGS="${FUZZ_LDFLAGS}" \ + -DCMAKE_BUILD_TYPE=Debug ..) make -C "${LIBFIDO2}/build" diff --git a/fuzz/fuzz_assert.c b/fuzz/fuzz_assert.c index 603957ec2bac..9f39f3d6ecb7 100644 --- a/fuzz/fuzz_assert.c +++ b/fuzz/fuzz_assert.c @@ -141,7 +141,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_bio.c b/fuzz/fuzz_bio.c index 6ebfd151a3d8..0c6b12c4b7c3 100644 --- a/fuzz/fuzz_bio.c +++ b/fuzz/fuzz_bio.c @@ -155,7 +155,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_cred.c b/fuzz/fuzz_cred.c index a0866dc6e133..497298f70290 100644 --- a/fuzz/fuzz_cred.c +++ b/fuzz/fuzz_cred.c @@ -151,7 +151,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_credman.c b/fuzz/fuzz_credman.c index 1cb95dce3fab..ef2147581564 100644 --- a/fuzz/fuzz_credman.c +++ b/fuzz/fuzz_credman.c @@ -142,7 +142,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_hid.c b/fuzz/fuzz_hid.c index 27ccb2feadfa..daaadadf19bc 100644 --- a/fuzz/fuzz_hid.c +++ b/fuzz/fuzz_hid.c @@ -105,7 +105,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_largeblob.c b/fuzz/fuzz_largeblob.c index 432629681e58..6cdc0c0d57cb 100644 --- a/fuzz/fuzz_largeblob.c +++ b/fuzz/fuzz_largeblob.c @@ -119,7 +119,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_mgmt.c b/fuzz/fuzz_mgmt.c index 6a5e7b667952..cbc313d1f793 100644 --- a/fuzz/fuzz_mgmt.c +++ b/fuzz/fuzz_mgmt.c @@ -139,7 +139,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_netlink.c b/fuzz/fuzz_netlink.c index 2fa897e46fe3..4d28129c3567 100644 --- a/fuzz/fuzz_netlink.c +++ b/fuzz/fuzz_netlink.c @@ -76,7 +76,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/fuzz/fuzz_pcsc.c b/fuzz/fuzz_pcsc.c index f0f6ccaad13e..cf6210b71be5 100644 --- a/fuzz/fuzz_pcsc.c +++ b/fuzz/fuzz_pcsc.c @@ -94,7 +94,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p) goto fail; if ((cbor_len = cbor_serialize_alloc(array, &cbor, - &cbor_alloc_len)) > len) { + &cbor_alloc_len)) == 0 || cbor_len > len) { cbor_len = 0; goto fail; } diff --git a/man/CMakeLists.txt b/man/CMakeLists.txt index cf32a3a94208..a47767fb6d4b 100644 --- a/man/CMakeLists.txt +++ b/man/CMakeLists.txt @@ -59,6 +59,7 @@ list(APPEND MAN_ALIAS es384_pk_new es384_pk_from_EVP_PKEY es384_pk_new es384_pk_from_ptr es384_pk_new es384_pk_to_EVP_PKEY + fido_assert_allow_cred fido_assert_empty_allow_list fido_assert_new fido_assert_authdata_len fido_assert_new fido_assert_authdata_ptr fido_assert_new fido_assert_blob_len @@ -149,6 +150,7 @@ list(APPEND MAN_ALIAS fido_cbor_info_new fido_cbor_info_versions_len fido_cbor_info_new fido_cbor_info_versions_ptr fido_cbor_info_new fido_dev_get_cbor_info + fido_cred_exclude fido_cred_empty_exclude_list fido_cred_new fido_cred_aaguid_len fido_cred_new fido_cred_aaguid_ptr fido_cred_new fido_cred_attstmt_len @@ -295,7 +297,7 @@ endforeach() # man_html foreach(f ${MAN_SOURCES}) - string(REGEX REPLACE ".[13]" "" g ${f}) + string(REGEX REPLACE "\\.[13]$" "" g ${f}) add_custom_command(OUTPUT ${g}.html COMMAND mandoc -T html -O man="%N.html",style=style.css -I os="Yubico AB" ${f} > ${g}.html DEPENDS ${f}) @@ -304,7 +306,7 @@ endforeach() # man_html_partial foreach(f ${MAN_SOURCES}) - string(REGEX REPLACE ".[13]" "" g ${f}) + string(REGEX REPLACE "\\.[13]$" "" g ${f}) add_custom_command(OUTPUT ${g}.partial COMMAND cat ${PROJECT_SOURCE_DIR}/man/dyc.css > ${g}.partial COMMAND mandoc -T html -O man="%N.html",fragment ${f} >> ${g}.partial @@ -357,7 +359,7 @@ if(MANDOC_PATH) install(FILES ${PROJECT_SOURCE_DIR}/man/style.css DESTINATION "${CMAKE_INSTALL_DOCDIR}/html") foreach(f ${MAN_SOURCES}) - string(REGEX REPLACE ".[13]" "" f ${f}) + string(REGEX REPLACE "\\.[13]$" "" f ${f}) install(FILES ${PROJECT_BINARY_DIR}/man/${f}.html DESTINATION "${CMAKE_INSTALL_DOCDIR}/html") endforeach() diff --git a/man/fido_assert_allow_cred.3 b/man/fido_assert_allow_cred.3 index 0690efcff4ba..652013734295 100644 --- a/man/fido_assert_allow_cred.3 +++ b/man/fido_assert_allow_cred.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2018 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions are @@ -25,16 +25,19 @@ .\" .\" SPDX-License-Identifier: BSD-2-Clause .\" -.Dd $Mdocdate: May 23 2018 $ +.Dd $Mdocdate: December 1 2022 $ .Dt FIDO_ASSERT_ALLOW_CRED 3 .Os .Sh NAME -.Nm fido_assert_allow_cred -.Nd allow a credential in a FIDO2 assertion +.Nm fido_assert_allow_cred , +.Nm fido_assert_empty_allow_list +.Nd manage allow lists in a FIDO2 assertion .Sh SYNOPSIS .In fido.h .Ft int .Fn fido_assert_allow_cred "fido_assert_t *assert" "const unsigned char *ptr" "size_t len" +.Ft int +.Fn fido_assert_empty_allow_list "fido_assert_t *assert" .Sh DESCRIPTION The .Fn fido_assert_allow_cred @@ -56,9 +59,16 @@ fails, the existing list of allowed credentials is preserved. .Pp For the format of a FIDO2 credential ID, please refer to the Web Authentication (webauthn) standard. +.Pp +The +.Fn fido_assert_empty_allow_list +function empties the list of credentials allowed in +.Fa assert . .Sh RETURN VALUES The error codes returned by .Fn fido_assert_allow_cred +and +.Fn fido_assert_empty_allow_list are defined in .In fido/err.h . On success, diff --git a/man/fido_cred_exclude.3 b/man/fido_cred_exclude.3 index 0d4ba75ecbef..d5e840d56e11 100644 --- a/man/fido_cred_exclude.3 +++ b/man/fido_cred_exclude.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2018 Yubico AB. All rights reserved. +.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions are @@ -25,16 +25,19 @@ .\" .\" SPDX-License-Identifier: BSD-2-Clause .\" -.Dd $Mdocdate: May 23 2018 $ +.Dd $Mdocdate: December 2 2022 $ .Dt FIDO_CRED_EXCLUDE 3 .Os .Sh NAME -.Nm fido_cred_exclude -.Nd appends a credential ID to a credential's list of excluded credentials +.Nm fido_cred_exclude , +.Nm fido_cred_empty_exclude_list +.Nd manage exclude lists in a FIDO2 credential .Sh SYNOPSIS .In fido.h .Ft int .Fn fido_cred_exclude "fido_cred_t *cred" "const unsigned char *ptr" "size_t len" +.Ft int +.Fn fido_cred_empty_exclude_list "fido_cred_t *cred" .Sh DESCRIPTION The .Fn fido_cred_exclude @@ -69,9 +72,16 @@ will fail. .Pp For the format of a FIDO2 credential ID, please refer to the Web Authentication (webauthn) standard. +.Pp +The +.Fn fido_cred_empty_exclude_list +function empties the list of credentials excluded by +.Fa cred . .Sh RETURN VALUES The error codes returned by .Fn fido_cred_exclude +and +.Fn fido_cred_empty_exclude_list are defined in .In fido/err.h . On success, diff --git a/src/assert.c b/src/assert.c index a690f46dc882..dabe8b9fdcf7 100644 --- a/src/assert.c +++ b/src/assert.c @@ -673,7 +673,15 @@ fail: free(id.ptr); return (r); +} +int +fido_assert_empty_allow_list(fido_assert_t *assert) +{ + fido_free_blob_array(&assert->allow_list); + memset(&assert->allow_list, 0, sizeof(assert->allow_list)); + + return (FIDO_OK); } int @@ -740,9 +748,8 @@ fido_assert_reset_tx(fido_assert_t *assert) fido_blob_reset(&assert->cd); fido_blob_reset(&assert->cdh); fido_blob_reset(&assert->ext.hmac_salt); - fido_free_blob_array(&assert->allow_list); + fido_assert_empty_allow_list(assert); memset(&assert->ext, 0, sizeof(assert->ext)); - memset(&assert->allow_list, 0, sizeof(assert->allow_list)); assert->rp_id = NULL; assert->up = FIDO_OPT_OMIT; assert->uv = FIDO_OPT_OMIT; diff --git a/src/cred.c b/src/cred.c index 188afe4e64aa..4a7a7257c985 100644 --- a/src/cred.c +++ b/src/cred.c @@ -562,11 +562,10 @@ fido_cred_reset_tx(fido_cred_t *cred) free(cred->user.icon); free(cred->user.name); free(cred->user.display_name); - fido_free_blob_array(&cred->excl); + fido_cred_empty_exclude_list(cred); memset(&cred->rp, 0, sizeof(cred->rp)); memset(&cred->user, 0, sizeof(cred->user)); - memset(&cred->excl, 0, sizeof(cred->excl)); memset(&cred->ext, 0, sizeof(cred->ext)); cred->type = 0; @@ -766,6 +765,15 @@ fido_cred_exclude(fido_cred_t *cred, const unsigned char *id_ptr, size_t id_len) } int +fido_cred_empty_exclude_list(fido_cred_t *cred) +{ + fido_free_blob_array(&cred->excl); + memset(&cred->excl, 0, sizeof(cred->excl)); + + return (FIDO_OK); +} + +int fido_cred_set_clientdata(fido_cred_t *cred, const unsigned char *data, size_t data_len) { diff --git a/src/eddsa.c b/src/eddsa.c index d043f89f9f37..bdb53b188cdb 100644 --- a/src/eddsa.c +++ b/src/eddsa.c @@ -11,7 +11,7 @@ #include "fido.h" #include "fido/eddsa.h" -#if defined(LIBRESSL_VERSION_NUMBER) +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000f EVP_PKEY * EVP_PKEY_new_raw_public_key(int type, ENGINE *e, const unsigned char *key, size_t keylen) diff --git a/src/export.gnu b/src/export.gnu index 6916837ecbcc..604741ed7d92 100644 --- a/src/export.gnu +++ b/src/export.gnu @@ -25,6 +25,7 @@ fido_assert_clientdata_hash_len; fido_assert_clientdata_hash_ptr; fido_assert_count; + fido_assert_empty_allow_list; fido_assert_flags; fido_assert_free; fido_assert_hmac_secret_len; @@ -125,6 +126,7 @@ fido_cred_clientdata_hash_len; fido_cred_clientdata_hash_ptr; fido_cred_display_name; + fido_cred_empty_exclude_list; fido_cred_exclude; fido_cred_flags; fido_cred_largeblob_key_len; diff --git a/src/export.llvm b/src/export.llvm index bd21fb4a54f7..0be829538d7b 100644 --- a/src/export.llvm +++ b/src/export.llvm @@ -23,6 +23,7 @@ _fido_assert_blob_ptr _fido_assert_clientdata_hash_len _fido_assert_clientdata_hash_ptr _fido_assert_count +_fido_assert_empty_allow_list _fido_assert_flags _fido_assert_free _fido_assert_hmac_secret_len @@ -123,6 +124,7 @@ _fido_cred_authdata_raw_ptr _fido_cred_clientdata_hash_len _fido_cred_clientdata_hash_ptr _fido_cred_display_name +_fido_cred_empty_exclude_list _fido_cred_exclude _fido_cred_flags _fido_cred_largeblob_key_len diff --git a/src/export.msvc b/src/export.msvc index 55147f99e67f..10f8bd14497d 100644 --- a/src/export.msvc +++ b/src/export.msvc @@ -24,6 +24,7 @@ fido_assert_blob_ptr fido_assert_clientdata_hash_len fido_assert_clientdata_hash_ptr fido_assert_count +fido_assert_empty_allow_list fido_assert_flags fido_assert_free fido_assert_hmac_secret_len @@ -124,6 +125,7 @@ fido_cred_authdata_raw_ptr fido_cred_clientdata_hash_len fido_cred_clientdata_hash_ptr fido_cred_display_name +fido_cred_empty_exclude_list fido_cred_exclude fido_cred_flags fido_cred_largeblob_key_len diff --git a/src/fido.h b/src/fido.h index ce7da160619e..607c44fcfd91 100644 --- a/src/fido.h +++ b/src/fido.h @@ -124,6 +124,7 @@ const unsigned char *fido_cred_user_id_ptr(const fido_cred_t *); const unsigned char *fido_cred_x5c_ptr(const fido_cred_t *); int fido_assert_allow_cred(fido_assert_t *, const unsigned char *, size_t); +int fido_assert_empty_allow_list(fido_assert_t *); int fido_assert_set_authdata(fido_assert_t *, size_t, const unsigned char *, size_t); int fido_assert_set_authdata_raw(fido_assert_t *, size_t, const unsigned char *, @@ -143,6 +144,7 @@ int fido_assert_set_uv(fido_assert_t *, fido_opt_t); int fido_assert_set_sig(fido_assert_t *, size_t, const unsigned char *, size_t); int fido_assert_verify(const fido_assert_t *, size_t, int, const void *); int fido_cbor_info_algorithm_cose(const fido_cbor_info_t *, size_t); +int fido_cred_empty_exclude_list(fido_cred_t *); int fido_cred_exclude(fido_cred_t *, const unsigned char *, size_t); int fido_cred_prot(const fido_cred_t *); int fido_cred_set_attstmt(fido_cred_t *, const unsigned char *, size_t); diff --git a/src/fido/eddsa.h b/src/fido/eddsa.h index 7981a6f8bae3..5c0b681ee7b0 100644 --- a/src/fido/eddsa.h +++ b/src/fido/eddsa.h @@ -53,7 +53,7 @@ int eddsa_pk_from_ptr(eddsa_pk_t *, const void *, size_t); #ifdef _FIDO_INTERNAL -#if defined(LIBRESSL_VERSION_NUMBER) +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000f #define EVP_PKEY_ED25519 EVP_PKEY_NONE int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *); EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, diff --git a/src/tpm.c b/src/tpm.c index 69c48c3d4d86..3e09bca00ffb 100644 --- a/src/tpm.c +++ b/src/tpm.c @@ -48,7 +48,7 @@ struct tpm_sha256_digest { /* Part 2, 10.4.3: TPM2B_DATA */ PACKED_TYPE(tpm_sha1_data_t, struct tpm_sha1_data { - uint16_t size; /* sizeof(body */ + uint16_t size; /* sizeof(body) */ uint8_t body[20]; }) diff --git a/src/winhello.c b/src/winhello.c index e0453cb8c70f..efc7dc22f851 100644 --- a/src/winhello.c +++ b/src/winhello.c @@ -85,7 +85,7 @@ webauthn_load(void) fido_log_debug("%s: already loaded", __func__); return -1; } - if ((webauthn_handle = LoadLibrary("webauthn.dll")) == NULL) { + if ((webauthn_handle = LoadLibrary(TEXT("webauthn.dll"))) == NULL) { fido_log_debug("%s: LoadLibrary", __func__); return -1; } @@ -472,12 +472,8 @@ unpack_assert_authdata(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) { int r; - if (wa->cbAuthenticatorData > SIZE_MAX) { - fido_log_debug("%s: cbAuthenticatorData", __func__); - return -1; - } if ((r = fido_assert_set_authdata_raw(assert, 0, wa->pbAuthenticatorData, - (size_t)wa->cbAuthenticatorData)) != FIDO_OK) { + wa->cbAuthenticatorData)) != FIDO_OK) { fido_log_debug("%s: fido_assert_set_authdata_raw: %s", __func__, fido_strerr(r)); return -1; @@ -491,12 +487,8 @@ unpack_assert_sig(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) { int r; - if (wa->cbSignature > SIZE_MAX) { - fido_log_debug("%s: cbSignature", __func__); - return -1; - } if ((r = fido_assert_set_sig(assert, 0, wa->pbSignature, - (size_t)wa->cbSignature)) != FIDO_OK) { + wa->cbSignature)) != FIDO_OK) { fido_log_debug("%s: fido_assert_set_sig: %s", __func__, fido_strerr(r)); return -1; @@ -508,12 +500,8 @@ unpack_assert_sig(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) static int unpack_cred_id(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) { - if (wa->Credential.cbId > SIZE_MAX) { - fido_log_debug("%s: Credential.cbId", __func__); - return -1; - } if (fido_blob_set(&assert->stmt[0].id, wa->Credential.pbId, - (size_t)wa->Credential.cbId) < 0) { + wa->Credential.cbId) < 0) { fido_log_debug("%s: fido_blob_set", __func__); return -1; } @@ -526,12 +514,8 @@ unpack_user_id(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) { if (wa->cbUserId == 0) return 0; /* user id absent */ - if (wa->cbUserId > SIZE_MAX) { - fido_log_debug("%s: cbUserId", __func__); - return -1; - } if (fido_blob_set(&assert->stmt[0].user.id, wa->pbUserId, - (size_t)wa->cbUserId) < 0) { + wa->cbUserId) < 0) { fido_log_debug("%s: fido_blob_set", __func__); return -1; } @@ -549,7 +533,6 @@ unpack_hmac_secret(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) } if (wa->pHmacSecret == NULL || wa->pHmacSecret->cbFirst == 0 || - wa->pHmacSecret->cbFirst > SIZE_MAX || wa->pHmacSecret->pbFirst == NULL) { fido_log_debug("%s: hmac-secret absent", __func__); return 0; /* proceed without hmac-secret */ @@ -564,7 +547,7 @@ unpack_hmac_secret(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa) return -1; } if (fido_blob_set(&assert->stmt[0].hmac_secret, - wa->pHmacSecret->pbFirst, (size_t)wa->pHmacSecret->cbFirst) < 0) { + wa->pHmacSecret->pbFirst, wa->pHmacSecret->cbFirst) < 0) { fido_log_debug("%s: fido_blob_set", __func__); return -1; } @@ -752,13 +735,12 @@ translate_winhello_cred(fido_cred_t *cred, struct cbor_load_result cbor; int r = FIDO_ERR_INTERNAL; - if (att->pbAttestationObject == NULL || - att->cbAttestationObject > SIZE_MAX) { + if (att->pbAttestationObject == NULL) { fido_log_debug("%s: pbAttestationObject", __func__); goto fail; } if ((item = cbor_load(att->pbAttestationObject, - (size_t)att->cbAttestationObject, &cbor)) == NULL) { + att->cbAttestationObject, &cbor)) == NULL) { fido_log_debug("%s: cbor_load", __func__); goto fail; } diff --git a/tools/largeblob.c b/tools/largeblob.c index 00cf79ea8fef..78b97ab1e96b 100644 --- a/tools/largeblob.c +++ b/tools/largeblob.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020 Yubico AB. All rights reserved. + * Copyright (c) 2020-2022 Yubico AB. All rights reserved. * Use of this source code is governed by a BSD-style * license that can be found in the LICENSE file. * SPDX-License-Identifier: BSD-2-Clause @@ -25,6 +25,8 @@ #include "../openbsd-compat/openbsd-compat.h" #include "extern.h" +#define BOUND (1024UL * 1024UL) + struct rkmap { fido_credman_rp_t *rp; /* known rps */ fido_credman_rk_t **rk; /* rk per rp */ @@ -303,35 +305,57 @@ out: } static int -decompress(const struct blob *plaintext, uint64_t origsiz) +try_decompress(const struct blob *in, uint64_t origsiz, int wbits) { - struct blob inflated; - u_long ilen, plen; + struct blob out; + z_stream zs; + u_int ilen, olen; int ok = -1; - memset(&inflated, 0, sizeof(inflated)); + memset(&zs, 0, sizeof(zs)); + memset(&out, 0, sizeof(out)); - if (plaintext->len > ULONG_MAX) + if (in->len > UINT_MAX || (ilen = (u_int)in->len) > BOUND) return -1; - if (origsiz > ULONG_MAX || origsiz > SIZE_MAX) + if (origsiz > SIZE_MAX || origsiz > UINT_MAX || + (olen = (u_int)origsiz) > BOUND) return -1; - plen = (u_long)plaintext->len; - ilen = (u_long)origsiz; - inflated.len = (size_t)origsiz; - if ((inflated.ptr = calloc(1, inflated.len)) == NULL) + if (inflateInit2(&zs, wbits) != Z_OK) return -1; - if (uncompress(inflated.ptr, &ilen, plaintext->ptr, plen) != Z_OK || - ilen > SIZE_MAX || (size_t)ilen != (size_t)origsiz) - goto out; - ok = 0; /* success */ -out: - freezero(inflated.ptr, inflated.len); + if ((out.ptr = calloc(1, olen)) == NULL) + goto fail; + + out.len = olen; + zs.next_in = in->ptr; + zs.avail_in = ilen; + zs.next_out = out.ptr; + zs.avail_out = olen; + + if (inflate(&zs, Z_FINISH) != Z_STREAM_END) + goto fail; + if (zs.avail_out != 0) + goto fail; + + ok = 0; +fail: + if (inflateEnd(&zs) != Z_OK) + ok = -1; + + freezero(out.ptr, out.len); return ok; } static int +decompress(const struct blob *plaintext, uint64_t origsiz) +{ + if (try_decompress(plaintext, origsiz, MAX_WBITS) == 0) /* rfc1950 */ + return 0; + return try_decompress(plaintext, origsiz, -MAX_WBITS); /* rfc1951 */ +} + +static int decode(const struct blob *ciphertext, const struct blob *nonce, uint64_t origsiz, const fido_cred_t *cred) { diff --git a/udev/70-u2f.rules b/udev/70-u2f.rules index 913bef2a9936..c443f7524a08 100644 --- a/udev/70-u2f.rules +++ b/udev/70-u2f.rules @@ -216,6 +216,9 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2ccf", ATTRS{idProduct # TrustKey Solutions FIDO2 G310 by eWBM Co., Ltd. KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a", TAG+="uaccess", GROUP="plugdev", MODE="0660" +# TrustKey Solutions FIDO2 G310H/G320H by eWBM Co., Ltd. +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a2a", TAG+="uaccess", GROUP="plugdev", MODE="0660" + # TrustKey Solutions FIDO2 G320 by eWBM Co., Ltd. KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4c2a", TAG+="uaccess", GROUP="plugdev", MODE="0660" diff --git a/udev/fidodevs b/udev/fidodevs index d8a80fc1a4ee..196e92f0b100 100644 --- a/udev/fidodevs +++ b/udev/fidodevs @@ -115,6 +115,7 @@ product LEDGER 0x4015 Ledger Nano X Legacy product HYPERSECU 0x0880 Hypersecu HyperFIDO product EWBM 0x4a1a TrustKey Solutions FIDO2 G310 +product EWBM 0x4a2a TrustKey Solutions FIDO2 G310H/G320H product EWBM 0x4c2a TrustKey Solutions FIDO2 G320 product EWBM 0x5c2f eWBM FIDO2 Goldengate G500 product EWBM 0xa6e9 TrustKey Solutions FIDO2 T120 diff --git a/windows/build.ps1 b/windows/build.ps1 index 4c3a9699b07a..52a1d6692de4 100644 --- a/windows/build.ps1 +++ b/windows/build.ps1 @@ -163,8 +163,8 @@ try { & $CMake ..\..\..\${LIBCBOR} -A "${Arch}" ` -DWITH_EXAMPLES=OFF ` -DBUILD_SHARED_LIBS="${SHARED}" ` - -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG}" ` - -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE}" ` + -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG} /wd4703" ` + -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE} /wd4703" ` -DCMAKE_INSTALL_PREFIX="${PREFIX}" "${CMAKE_SYSTEM_VERSION}"; ` ExitOnError & $CMake --build . --config ${Config} --verbose; ExitOnError @@ -219,6 +219,7 @@ try { -DCRYPTO_INCLUDE_DIRS="${PREFIX}\include" ` -DCRYPTO_LIBRARY_DIRS="${PREFIX}\lib" ` -DCRYPTO_BIN_DIRS="${PREFIX}\bin" ` + -DCRYPTO_LIBRARIES="${CRYPTO_LIBRARIES}" ` -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG} ${Fido2Flags}" ` -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE} ${Fido2Flags}" ` -DCMAKE_INSTALL_PREFIX="${PREFIX}" "${CMAKE_SYSTEM_VERSION}"; ` @@ -230,7 +231,7 @@ try { ExitOnError # Copy DLLs. if ("${SHARED}" -eq "ON") { - "cbor.dll", "crypto-49.dll", "zlib1.dll" | ` + "cbor.dll", "${CRYPTO_LIBRARIES}.dll", "zlib1.dll" | ` %{ Copy-Item "${PREFIX}\bin\$_" ` -Destination "examples\${Config}" } } diff --git a/windows/const.ps1 b/windows/const.ps1 index 31426e99fec6..f657846def5e 100644 --- a/windows/const.ps1 +++ b/windows/const.ps1 @@ -1,4 +1,4 @@ -# Copyright (c) 2021 Yubico AB. All rights reserved. +# Copyright (c) 2021-2023 Yubico AB. All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. # SPDX-License-Identifier: BSD-2-Clause @@ -7,17 +7,18 @@ New-Variable -Name 'LIBRESSL_URL' ` -Value 'https://fastly.cdn.openbsd.org/pub/OpenBSD/LibreSSL' ` -Option Constant -New-Variable -Name 'LIBRESSL' -Value 'libressl-3.5.3' -Option Constant +New-Variable -Name 'LIBRESSL' -Value 'libressl-3.6.2' -Option Constant +New-Variable -Name 'CRYPTO_LIBRARIES' -Value 'crypto-50' -Option Constant # libcbor coordinates. -New-Variable -Name 'LIBCBOR' -Value 'libcbor-0.9.0' -Option Constant -New-Variable -Name 'LIBCBOR_BRANCH' -Value 'v0.9.0' -Option Constant +New-Variable -Name 'LIBCBOR' -Value 'libcbor-0.10.1' -Option Constant +New-Variable -Name 'LIBCBOR_BRANCH' -Value 'v0.10.1' -Option Constant New-Variable -Name 'LIBCBOR_GIT' -Value 'https://github.com/pjk/libcbor' ` -Option Constant # zlib coordinates. -New-Variable -Name 'ZLIB' -Value 'zlib-1.2.12' -Option Constant -New-Variable -Name 'ZLIB_BRANCH' -Value 'v1.2.12' -Option Constant +New-Variable -Name 'ZLIB' -Value 'zlib-1.2.13' -Option Constant +New-Variable -Name 'ZLIB_BRANCH' -Value 'v1.2.13' -Option Constant New-Variable -Name 'ZLIB_GIT' -Value 'https://github.com/madler/zlib' ` -Option Constant diff --git a/windows/release.ps1 b/windows/release.ps1 index 423ec20f7e59..cc5f635b8faa 100644 --- a/windows/release.ps1 +++ b/windows/release.ps1 @@ -8,7 +8,6 @@ $Architectures = @('x64', 'Win32', 'ARM64', 'ARM') $InstallPrefixes = @('Win64', 'Win32', 'ARM64', 'ARM') $Types = @('dynamic', 'static') $Config = 'Release' -$LibCrypto = '49' $SDK = '143' . "$PSScriptRoot\const.ps1" @@ -36,8 +35,8 @@ Function Package-Dynamic(${SRC}, ${DEST}) { Copy-Item "${SRC}\lib\cbor.lib" "${DEST}" Copy-Item "${SRC}\bin\zlib1.dll" "${DEST}" Copy-Item "${SRC}\lib\zlib1.lib" "${DEST}" - Copy-Item "${SRC}\bin\crypto-${LibCrypto}.dll" "${DEST}" - Copy-Item "${SRC}\lib\crypto-${LibCrypto}.lib" "${DEST}" + Copy-Item "${SRC}\bin\${CRYPTO_LIBRARIES}.dll" "${DEST}" + Copy-Item "${SRC}\lib\${CRYPTO_LIBRARIES}.lib" "${DEST}" Copy-Item "${SRC}\bin\fido2.dll" "${DEST}" Copy-Item "${SRC}\lib\fido2.lib" "${DEST}" } @@ -45,13 +44,13 @@ Function Package-Dynamic(${SRC}, ${DEST}) { Function Package-Static(${SRC}, ${DEST}) { Copy-Item "${SRC}/lib/cbor.lib" "${DEST}" Copy-Item "${SRC}/lib/zlib1.lib" "${DEST}" - Copy-Item "${SRC}/lib/crypto-${LibCrypto}.lib" "${DEST}" + Copy-Item "${SRC}/lib/${CRYPTO_LIBRARIES}.lib" "${DEST}" Copy-Item "${SRC}/lib/fido2_static.lib" "${DEST}/fido2.lib" } Function Package-PDBs(${SRC}, ${DEST}) { Copy-Item "${SRC}\${LIBRESSL}\crypto\crypto_obj.dir\${Config}\crypto_obj.pdb" ` - "${DEST}\crypto-${LibCrypto}.pdb" + "${DEST}\${CRYPTO_LIBRARIES}.pdb" Copy-Item "${SRC}\${LIBCBOR}\src\cbor.dir\${Config}\vc${SDK}.pdb" ` "${DEST}\cbor.pdb" Copy-Item "${SRC}\${ZLIB}\zlib.dir\${Config}\vc${SDK}.pdb" ` @@ -62,7 +61,7 @@ Function Package-PDBs(${SRC}, ${DEST}) { Function Package-StaticPDBs(${SRC}, ${DEST}) { Copy-Item "${SRC}\${LIBRESSL}\crypto\crypto_obj.dir\${Config}\crypto_obj.pdb" ` - "${DEST}\crypto-${LibCrypto}.pdb" + "${DEST}\${CRYPTO_LIBRARIES}.pdb" Copy-Item "${SRC}\${LIBCBOR}\src\${Config}\cbor.pdb" ` "${DEST}\cbor.pdb" Copy-Item "${SRC}\${ZLIB}\${Config}\zlibstatic.pdb" ` |