Merge pull request #11 from tgauth/update-1.13.0

Update to 1.13.0

Author: tgauth

.actions/build-linux-i686-w64-mingw32-gcc

@@ -1,6 +1,6 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
 EOF
 
 # Build and install libcbor.
-git clone --depth=1 https://github.com/pjk/libcbor -b v0.9.0
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
 cd libcbor
 mkdir build
 (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
@@ -32,8 +32,8 @@ make -j"$(nproc)" -C build
 sudo make -C build install
 cd ..
 
-# Build and install OpenSSL 1.1.1q.
-git clone --depth=1 https://github.com/openssl/openssl -b OpenSSL_1_1_1q
+# Build and install OpenSSL 1.1.1t.
+git clone --depth=1 https://github.com/openssl/openssl -b OpenSSL_1_1_1t
 cd openssl
 ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
 	--cross-compile-prefix=i686-w64-mingw32-

.actions/build-linux-openssl3-clang

@@ -12,8 +12,8 @@ FAKEROOT="$(mktemp -d)"
 # Check exports.
 (cd src && ./diff_exports.sh)
 
-# Build and install OpenSSL 3.0.5.
-git clone --branch openssl-3.0.5 \
+# Build and install OpenSSL 3.0.8.
+git clone --branch openssl-3.0.8 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure linux-x86_64-clang --prefix="${FAKEROOT}" \

.actions/build-linux-openssl3-gcc

@@ -8,8 +8,8 @@
 ${CC} --version
 FAKEROOT="$(mktemp -d)"
 
-# Build and install OpenSSL 3.0.5.
-git clone --branch openssl-3.0.5 \
+# Build and install OpenSSL 3.0.8.
+git clone --branch openssl-3.0.8 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure linux-x86_64 --prefix="${FAKEROOT}" \

.actions/build-linux-openssl3-i686-w64-mingw32-gcc

@@ -1,6 +1,6 @@
 #!/bin/sh -eux
 
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -23,7 +23,7 @@ SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
 EOF
 
 # Build and install libcbor.
-git clone --depth=1 https://github.com/pjk/libcbor -b v0.9.0
+git clone --depth=1 https://github.com/pjk/libcbor -b v0.10.1
 cd libcbor
 mkdir build
 (cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
@@ -32,8 +32,8 @@ make -j"$(nproc)" -C build
 sudo make -C build install
 cd ..
 
-# Build and install OpenSSL 3.0.5.
-git clone --branch openssl-3.0.5 \
+# Build and install OpenSSL 3.0.8.
+git clone --branch openssl-3.0.8 \
 	--depth=1 https://github.com/openssl/openssl
 cd openssl
 ./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \

.actions/fuzz-linux

@@ -6,18 +6,20 @@
 # SPDX-License-Identifier: BSD-2-Clause
 
 LIBCBOR_URL="https://github.com/pjk/libcbor"
-LIBCBOR_TAG="v0.9.0"
+LIBCBOR_TAG="v0.10.1"
 LIBCBOR_ASAN="address alignment bounds"
 LIBCBOR_MSAN="memory"
 OPENSSL_URL="https://github.com/openssl/openssl"
-OPENSSL_TAG="OpenSSL_1_1_1q"
+OPENSSL_TAG="OpenSSL_1_1_1t"
 ZLIB_URL="https://github.com/madler/zlib"
 ZLIB_TAG="v1.2.13"
 ZLIB_ASAN="address alignment bounds undefined"
 ZLIB_MSAN="memory"
-FIDO2_ASAN="address bounds implicit-conversion leak pointer-compare pointer-subtract undefined"
-FIDO2_MSAN="memory"
+FIDO2_ASAN="address bounds fuzzer-no-link implicit-conversion leak"
+FIDO2_ASAN="${FIDO2_ASAN} pointer-compare pointer-subtract undefined"
+FIDO2_MSAN="fuzzer-no-link memory"
 COMMON_CFLAGS="-g2 -fno-omit-frame-pointer"
+COMMON_CFLAGS="${COMMON_CFLAGS} -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
 UBSAN_OPTIONS="halt_on_error=1:print_stacktrace=1:strict_string_checks=1"
 ASAN_OPTIONS="${UBSAN_OPTIONS}:detect_invalid_pointer_pairs=2:detect_leaks=1"
 MSAN_OPTIONS="${UBSAN_OPTIONS}"
@@ -27,11 +29,13 @@ asan)
 	LIBCBOR_CFLAGS="-fsanitize=$(echo "${LIBCBOR_ASAN}" | tr ' ' ',')"
 	ZLIB_CFLAGS="-fsanitize=$(echo "${ZLIB_ASAN}" | tr ' ' ',')"
 	FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_ASAN}" | tr ' ' ',')"
+	FIDO2_CFLAGS="${FIDO2_CFLAGS} -fsanitize-address-use-after-scope"
 	;;
 msan)
 	LIBCBOR_CFLAGS="-fsanitize=$(echo "${LIBCBOR_MSAN}" | tr ' ' ',')"
 	ZLIB_CFLAGS="-fsanitize=$(echo "${ZLIB_MSAN}" | tr ' ' ',')"
-	FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_MSAN}" | tr ' ' ',') -fsanitize-memory-track-origins"
+	FIDO2_CFLAGS="-fsanitize=$(echo "${FIDO2_MSAN}" | tr ' ' ',')"
+	FIDO2_CFLAGS="${FIDO2_CFLAGS} -fsanitize-memory-track-origins"
 	;;
 *)
 	echo "unknown sanitiser \"$1\"" 1>&2 && exit 1
@@ -75,7 +79,7 @@ mkdir build
 export PKG_CONFIG_PATH="${FAKEROOT}/lib/pkgconfig"
 (cd build && cmake -DCMAKE_BUILD_TYPE=Debug \
     -DCMAKE_C_FLAGS_DEBUG="${FIDO2_CFLAGS} ${COMMON_CFLAGS}" -DFUZZ=ON \
-    -DLIBFUZZER=ON "${WORKDIR}")
+    -DFUZZ_LDFLAGS="-fsanitize=fuzzer" "${WORKDIR}")
 make -j"$(nproc)" -C build
 
 # fuzz

.github/workflows/alpine_builds.yml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -27,20 +27,12 @@ jobs:
       run: |
         apk -q update
         apk add build-base clang clang-analyzer cmake coreutils eudev-dev
-        apk add git linux-headers openssl-dev sudo zlib-dev pcsc-lite-dev
+        apk add git linux-headers openssl-dev sudo zlib-dev pcsc-lite-dev \
+          libcbor-dev
     - name: fix permissions on workdir
       run: chown root:wheel "${GITHUB_WORKSPACE}"
     - name: checkout libfido2
       uses: actions/checkout@v2
-    - name: checkout libcbor
-      uses: actions/checkout@v2
-      with:
-        repository: PJK/libcbor
-        path: libcbor
-        ref: v0.9.0
-    - name: build libcbor
-      run: cmake -DCMAKE_BUILD_TYPE=Release . && make -j"$(nproc)" && sudo make install
-      working-directory: libcbor
     - name: build libfido2
       env:
         CC: ${{ matrix.cc }}

.github/workflows/bsd_builds.yml

@@ -14,11 +14,11 @@ on:
 jobs:
   build:
     if: github.repository == 'Yubico/libfido2'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
-        image: [freebsd/13.x, openbsd/7.1]
+        image: [freebsd/13.x, openbsd/7.2]
     steps:
     - uses: actions/checkout@v2
     - name: dependencies

.github/workflows/codeql-analysis.yml

@@ -19,7 +19,7 @@ on:
 jobs:
   codeql-build:
     if: github.repository == 'Yubico/libfido2'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - name: checkout
       uses: actions/checkout@v2

.github/workflows/linux_builds.yml

@@ -22,15 +22,16 @@ jobs:
       matrix:
         include:
           - { os: ubuntu-20.04, cc: gcc-8 }
-          - { os: ubuntu-20.04, cc: gcc-9 }
-          - { os: ubuntu-20.04, cc: gcc-10 }
-          - { os: ubuntu-20.04, cc: gcc-11 }
-#         - { os: ubuntu-22.04, cc: gcc-12 }
+          - { os: ubuntu-22.04, cc: gcc-9 }
+          - { os: ubuntu-22.04, cc: gcc-10 }
+          - { os: ubuntu-22.04, cc: gcc-11 }
+          - { os: ubuntu-22.04, cc: gcc-12 }
           - { os: ubuntu-20.04, cc: clang-12 }
-          - { os: ubuntu-20.04, cc: clang-13 }
-          - { os: ubuntu-20.04, cc: clang-14 }
+          - { os: ubuntu-22.04, cc: clang-13 }
+          - { os: ubuntu-22.04, cc: clang-14 }
+          - { os: ubuntu-22.04, cc: clang-15 }
           - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-9 }
-          - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-10 }
+          - { os: ubuntu-22.04, cc: i686-w64-mingw32-gcc-10 }
     steps:
     - uses: actions/checkout@v2
     - name: dependencies

.github/workflows/linux_fuzz.yml

@@ -20,8 +20,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-20.04 ]
-        cc: [ clang-14 ]
+        os: [ ubuntu-22.04 ]
+        cc: [ clang-15 ]
         sanitizer: [ asan, msan ]
     steps:
     - uses: actions/checkout@v2

.github/workflows/openssl3.yml

@@ -21,11 +21,11 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             cc: gcc-11
-          - os: ubuntu-20.04
-            cc: clang-14
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
+            cc: clang-15
+          - os: ubuntu-22.04
             cc: i686-w64-mingw32-gcc-10
     steps:
     - uses: actions/checkout@v2