New Upstream Release - libfido2

Ready changes

Summary

Merged new upstream version: 1.13.0 (was: 1.12.0).

Diff

diff --git a/CMakeLists.txt b/CMakeLists.txt
index dc31cc0..6fa341a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -29,17 +29,17 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(CMAKE_COLOR_MAKEFILE OFF)
 set(CMAKE_VERBOSE_MAKEFILE ON)
 set(FIDO_MAJOR "1")
-set(FIDO_MINOR "12")
+set(FIDO_MINOR "13")
 set(FIDO_PATCH "0")
 set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
 
+option(BUILD_TESTS       "Build the regress tests"                 ON)
 option(BUILD_EXAMPLES    "Build example programs"                  ON)
 option(BUILD_MANPAGES    "Build man pages"                         ON)
 option(BUILD_SHARED_LIBS "Build a shared library"                  ON)
 option(BUILD_STATIC_LIBS "Build a static library"                  ON)
 option(BUILD_TOOLS       "Build tool programs"                     ON)
 option(FUZZ              "Enable fuzzing instrumentation"          OFF)
-option(LIBFUZZER         "Build libfuzzer harnesses"               OFF)
 option(USE_HIDAPI        "Use hidapi as the HID backend"           OFF)
 option(USE_PCSC          "Enable experimental PCSC support"        OFF)
 option(USE_WINHELLO      "Abstract Windows Hello as a FIDO device" ON)
@@ -49,6 +49,14 @@ add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR})
 add_definitions(-D_FIDO_MINOR=${FIDO_MINOR})
 add_definitions(-D_FIDO_PATCH=${FIDO_PATCH})
 
+if(BUILD_SHARED_LIBS)
+	set(_FIDO2_LIBRARY fido2_shared)
+elseif(BUILD_STATIC_LIBS)
+	set(_FIDO2_LIBRARY fido2)
+else()
+	message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)")
+endif()
+
 if(CYGWIN OR MSYS OR MINGW)
 	set(WIN32 1)
 endif()
@@ -151,7 +159,7 @@ foreach(v ${CHECK_VARIABLES})
 	endif()
 endforeach()
 
-if(HAVE_EXPLICIT_BZERO AND NOT LIBFUZZER)
+if(HAVE_EXPLICIT_BZERO AND NOT FUZZ)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
 endif()
 
@@ -159,19 +167,30 @@ if(UNIX)
 	add_definitions(-DHAVE_DEV_URANDOM)
 endif()
 
+
 if(MSVC)
 	if((NOT CBOR_INCLUDE_DIRS) OR (NOT CBOR_LIBRARY_DIRS) OR
-	   (NOT CBOR_BIN_DIRS) OR (NOT CRYPTO_INCLUDE_DIRS) OR
-	   (NOT CRYPTO_LIBRARY_DIRS) OR (NOT CRYPTO_BIN_DIRS) OR
-	   (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS) OR
-	   (NOT ZLIB_BIN_DIRS))
+	   (NOT CRYPTO_INCLUDE_DIRS) OR (NOT CRYPTO_LIBRARY_DIRS) OR
+	   (NOT ZLIB_INCLUDE_DIRS) OR (NOT ZLIB_LIBRARY_DIRS))
 		message(FATAL_ERROR "please define "
-		   "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY,BIN}_DIRS when "
+		   "{CBOR,CRYPTO,ZLIB}_{INCLUDE,LIBRARY}_DIRS when "
 		   "building under msvc")
 	endif()
-	set(CBOR_LIBRARIES cbor)
-	set(ZLIB_LIBRARIES zlib1)
-	set(CRYPTO_LIBRARIES crypto-49)
+	if(BUILD_TESTS AND BUILD_SHARED_LIBS AND
+	   ((NOT CBOR_BIN_DIRS) OR (NOT ZLIB_BIN_DIRS) OR (NOT CRYPTO_BIN_DIRS)))
+		message(FATAL_ERROR "please define {CBOR,CRYPTO,ZLIB}_BIN_DIRS "
+		   "when building tests")
+	endif()
+	if(NOT CBOR_LIBRARIES)
+		set(CBOR_LIBRARIES cbor)
+	endif()
+	if(NOT ZLIB_LIBRARIES)
+		set(ZLIB_LIBRARIES zlib1)
+	endif()
+	if(NOT CRYPTO_LIBRARIES)
+		set(CRYPTO_LIBRARIES crypto)
+	endif()
+
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4152" # nonstandard extension used: function/data pointer
 			# conversion in expression;
@@ -213,8 +232,12 @@ else()
 		message(FATAL_ERROR "could not find zlib")
 	endif()
 
-	set(CBOR_LIBRARIES "cbor")
-	set(CRYPTO_LIBRARIES "crypto")
+	if(NOT CBOR_LIBRARIES)
+		set(CBOR_LIBRARIES "cbor")
+	endif()
+	if(NOT CRYPTO_LIBRARIES)
+		set(CRYPTO_LIBRARIES "crypto")
+	endif()
 
 	if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
 		pkg_search_module(UDEV libudev REQUIRED)
@@ -305,9 +328,7 @@ else()
 		add_definitions(-DOPENSSL_API_COMPAT=0x10100000L)
 	endif()
 
-	if(LIBFUZZER)
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link")
-	else()
+	if(NOT FUZZ)
 		set(EXTRA_CFLAGS "${EXTRA_CFLAGS} -Wframe-larger-than=2047")
 	endif()
 endif()
@@ -391,6 +412,9 @@ message(STATUS "BUILD_TOOLS: ${BUILD_TOOLS}")
 message(STATUS "CBOR_INCLUDE_DIRS: ${CBOR_INCLUDE_DIRS}")
 message(STATUS "CBOR_LIBRARIES: ${CBOR_LIBRARIES}")
 message(STATUS "CBOR_LIBRARY_DIRS: ${CBOR_LIBRARY_DIRS}")
+if(BUILD_TESTS)
+	message(STATUS "CBOR_BIN_DIRS: ${CBOR_BIN_DIRS}")
+endif()
 message(STATUS "CBOR_VERSION: ${CBOR_VERSION}")
 message(STATUS "CMAKE_BUILD_TYPE: ${CMAKE_BUILD_TYPE}")
 message(STATUS "CMAKE_C_COMPILER: ${CMAKE_C_COMPILER}")
@@ -408,12 +432,21 @@ message(STATUS "CMAKE_SYSTEM_VERSION: ${CMAKE_SYSTEM_VERSION}")
 message(STATUS "CRYPTO_INCLUDE_DIRS: ${CRYPTO_INCLUDE_DIRS}")
 message(STATUS "CRYPTO_LIBRARIES: ${CRYPTO_LIBRARIES}")
 message(STATUS "CRYPTO_LIBRARY_DIRS: ${CRYPTO_LIBRARY_DIRS}")
+if(BUILD_TESTS)
+	message(STATUS "CRYPTO_BIN_DIRS: ${CRYPTO_BIN_DIRS}")
+endif()
 message(STATUS "CRYPTO_VERSION: ${CRYPTO_VERSION}")
 message(STATUS "FIDO_VERSION: ${FIDO_VERSION}")
 message(STATUS "FUZZ: ${FUZZ}")
+if(FUZZ)
+	message(STATUS "FUZZ_LDFLAGS: ${FUZZ_LDFLAGS}")
+endif()
 message(STATUS "ZLIB_INCLUDE_DIRS: ${ZLIB_INCLUDE_DIRS}")
 message(STATUS "ZLIB_LIBRARIES: ${ZLIB_LIBRARIES}")
 message(STATUS "ZLIB_LIBRARY_DIRS: ${ZLIB_LIBRARY_DIRS}")
+if(BUILD_TESTS)
+	message(STATUS "ZLIB_BIN_DIRS: ${ZLIB_BIN_DIRS}")
+endif()
 message(STATUS "ZLIB_VERSION: ${ZLIB_VERSION}")
 if(USE_HIDAPI)
 	message(STATUS "HIDAPI_INCLUDE_DIRS: ${HIDAPI_INCLUDE_DIRS}")
@@ -425,7 +458,6 @@ message(STATUS "PCSC_INCLUDE_DIRS: ${PCSC_INCLUDE_DIRS}")
 message(STATUS "PCSC_LIBRARIES: ${PCSC_LIBRARIES}")
 message(STATUS "PCSC_LIBRARY_DIRS: ${PCSC_LIBRARY_DIRS}")
 message(STATUS "PCSC_VERSION: ${PCSC_VERSION}")
-message(STATUS "LIBFUZZER: ${LIBFUZZER}")
 message(STATUS "TLS: ${TLS}")
 message(STATUS "UDEV_INCLUDE_DIRS: ${UDEV_INCLUDE_DIRS}")
 message(STATUS "UDEV_LIBRARIES: ${UDEV_LIBRARIES}")
@@ -437,33 +469,30 @@ message(STATUS "USE_PCSC: ${USE_PCSC}")
 message(STATUS "USE_WINHELLO: ${USE_WINHELLO}")
 message(STATUS "NFC_LINUX: ${NFC_LINUX}")
 
-if(BUILD_SHARED_LIBS)
-	set(_FIDO2_LIBRARY fido2_shared)
-elseif(BUILD_STATIC_LIBS)
-	set(_FIDO2_LIBRARY fido2)
-else()
-	message(FATAL_ERROR "Nothing to build (BUILD_*_LIBS=OFF)")
+if(BUILD_TESTS)
+	enable_testing()
 endif()
 
-enable_testing()
+add_subdirectory(src)
 
-subdirs(src)
-subdirs(regress)
+if(BUILD_TESTS)
+	add_subdirectory(regress)
+endif()
 if(BUILD_EXAMPLES)
-	subdirs(examples)
+	add_subdirectory(examples)
 endif()
 if(BUILD_TOOLS)
-	subdirs(tools)
+	add_subdirectory(tools)
 endif()
 if(BUILD_MANPAGES)
-	subdirs(man)
+	add_subdirectory(man)
 endif()
 
 if(NOT WIN32)
 	if(FUZZ)
-		subdirs(fuzz)
+		add_subdirectory(fuzz)
 	endif()
 	if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
-		subdirs(udev)
+		add_subdirectory(udev)
 	endif()
 endif()
diff --git a/LICENSE b/LICENSE
index 359c853..ad0e133 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2018-2022 Yubico AB. All rights reserved.
+Copyright (c) 2018-2023 Yubico AB. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
diff --git a/NEWS b/NEWS
index a5353cf..bf648aa 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+* Version 1.13.0 (2023-02-20)
+ ** Support for linking against OpenSSL on Windows; gh#668.
+ ** New API calls:
+  - fido_assert_empty_allow_list;
+  - fido_cred_empty_exclude_list.
+ ** fido2-token: fix issue when listing large blobs.
+ ** Improved support for different fuzzing engines.
+
 * Version 1.12.0 (2022-09-22)
  ** Support for COSE_ES384.
  ** Support for hidraw(4) on FreeBSD; gh#597.
diff --git a/README.adoc b/README.adoc
index 6d6a96e..44d5598 100644
--- a/README.adoc
+++ b/README.adoc
@@ -38,7 +38,7 @@ is also available.
 
 === Releases
 
-The current release of *libfido2* is 1.12.0. Signed release tarballs are
+The current release of *libfido2* is 1.13.0. Signed release tarballs are
 available at Yubico's
 https://developers.yubico.com/libfido2/Releases[release page].
 
@@ -119,7 +119,6 @@ officially supported.
 | BUILD_STATIC_LIBS | Build a static library                  | ON
 | BUILD_TOOLS       | Build auxiliary tools                   | ON
 | FUZZ              | Enable fuzzing instrumentation          | OFF
-| LIBFUZZER         | Build libfuzzer harnesses               | OFF
 | NFC_LINUX         | Enable netlink NFC support on Linux     | ON
 | USE_HIDAPI        | Use hidapi as the HID backend           | OFF
 | USE_PCSC          | Enable experimental PCSC support        | OFF
diff --git a/debian/changelog b/debian/changelog
index 082b297..67e1b20 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,12 @@
-libfido2 (1.12.0-3) UNRELEASED; urgency=medium
+libfido2 (1.13.0-1) UNRELEASED; urgency=medium
 
+  [ Colin Watson ]
   * Update standards version to 4.6.2, no changes needed.
 
- -- Colin Watson <cjwatson@debian.org>  Mon, 02 Jan 2023 13:53:04 -0000
+  [ Debian Janitor ]
+  * New upstream release.
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 29 Mar 2023 06:31:08 -0000
 
 libfido2 (1.12.0-2) unstable; urgency=medium
 
diff --git a/examples/README.adoc b/examples/README.adoc
index 6853757..d44218c 100644
--- a/examples/README.adoc
+++ b/examples/README.adoc
@@ -20,8 +20,7 @@ The following definitions are used in the description below:
 
 - <pubkey>
 
-	The file system path of a file containing a NIST P-256 public key in
-	PEM format.
+	The file system path of a file containing a public key in PEM format.
 
 - <blobkey>
 
@@ -72,8 +71,10 @@ The following examples are provided:
 	Asks <device> for a FIDO2 assertion corresponding to [cred_id],
 	which may be omitted for resident keys. The obtained assertion
 	is verified using <pubkey>. The -p option requests that the user
-	be present.  User verification may be requested through the -v
-	option. If option -u is specified, the assertion is generated using
+	be present and checks whether the user presence bit was signed by the
+	authenticator. The -v option requests user verification and checks
+	whether the user verification bit was signed by the authenticator.
+	If option -u is specified, the assertion is generated using
 	U2F (CTAP1) instead of FIDO2 (CTAP2) commands. If option -s is
 	specified, a FIDO2 hmac-secret is requested from the authenticator,
 	and the contents of <hmac_salt> are used as the salt. If option -h
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 52355c1..cc30baa 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2019 Yubico AB. All rights reserved.
+# Copyright (c) 2019-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -13,58 +13,70 @@ list(APPEND COMMON_SOURCES
 	mutator_aux.c
 )
 
-set(FUZZ_LDFLAGS "-fsanitize=fuzzer")
+# XXX: OSS-Fuzz require linking using CXX
+set(FUZZ_LINKER_LANGUAGE "C" CACHE STRING "Linker language for fuzz harnesses")
+mark_as_advanced(FUZZ_LINKER_LANGUAGE)
+enable_language(${FUZZ_LINKER_LANGUAGE})
 
 # fuzz_cred
 add_executable(fuzz_cred fuzz_cred.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_cred PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_cred PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_cred PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_cred fido2_shared)
 
 # fuzz_assert
 add_executable(fuzz_assert fuzz_assert.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_assert PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_assert PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_assert PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_assert fido2_shared)
 
 # fuzz_mgmt
 add_executable(fuzz_mgmt fuzz_mgmt.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_mgmt PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_mgmt PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_mgmt PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_mgmt fido2_shared)
 
 # fuzz_credman
 add_executable(fuzz_credman fuzz_credman.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_credman PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_credman PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_credman PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_credman fido2_shared)
 
 # fuzz_bio
 add_executable(fuzz_bio fuzz_bio.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_bio PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_bio PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_bio PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_bio fido2_shared)
 
 # fuzz_hid
 add_executable(fuzz_hid fuzz_hid.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_hid PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_hid PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_hid PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_hid fido2_shared)
 
 # fuzz_netlink
 add_executable(fuzz_netlink fuzz_netlink.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_netlink PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_netlink PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_netlink PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_netlink fido2_shared)
 
 # fuzz_largeblob
 add_executable(fuzz_largeblob fuzz_largeblob.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_largeblob PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_largeblob PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_largeblob PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_largeblob fido2_shared)
 
 # fuzz_pcsc
 add_executable(fuzz_pcsc fuzz_pcsc.c ${COMMON_SOURCES} ${COMPAT_SOURCES})
-target_compile_options(fuzz_pcsc PRIVATE ${FUZZ_LDFLAGS})
-set_target_properties(fuzz_pcsc PROPERTIES LINK_FLAGS ${FUZZ_LDFLAGS})
+set_target_properties(fuzz_pcsc PROPERTIES
+	LINK_FLAGS ${FUZZ_LDFLAGS}
+	LINKER_LANGUAGE ${FUZZ_LINKER_LANGUAGE})
 target_link_libraries(fuzz_pcsc fido2_shared)
diff --git a/fuzz/Dockerfile b/fuzz/Dockerfile
index 0c99f2c..9cda375 100644
--- a/fuzz/Dockerfile
+++ b/fuzz/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright (c) 2019-2022 Yubico AB. All rights reserved.
+# Copyright (c) 2019-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -10,7 +10,7 @@ RUN apk -q update
 RUN apk add build-base clang clang-analyzer cmake compiler-rt coreutils
 RUN apk add eudev-dev git linux-headers llvm openssl-dev pcsc-lite-dev
 RUN apk add sudo tar zlib-dev
-RUN git clone --branch v0.9.0 --depth=1 https://github.com/PJK/libcbor
+RUN git clone --branch v0.10.1 --depth=1 https://github.com/PJK/libcbor
 RUN git clone --depth=1 https://github.com/yubico/libfido2
 WORKDIR /libfido2
 RUN ./fuzz/build-coverage /libcbor /libfido2
diff --git a/fuzz/Makefile b/fuzz/Makefile
index 857c89e..0e6756f 100644
--- a/fuzz/Makefile
+++ b/fuzz/Makefile
@@ -1,9 +1,9 @@
-# Copyright (c) 2019-2022 Yubico AB. All rights reserved.
+# Copyright (c) 2019-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
 
-IMAGE		:= libfido2-coverage:1.12.2
+IMAGE		:= libfido2-coverage:1.13.1
 RUNNER		:= libfido2-runner
 PROFDATA	:= llvm-profdata
 COV		:= llvm-cov
diff --git a/fuzz/README b/fuzz/README
index 2e88db7..427625c 100644
--- a/fuzz/README
+++ b/fuzz/README
@@ -8,7 +8,8 @@ use preload-fuzz.c to read device data from stdin.
 
 libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c,
 fuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these
-harnesses, use -DFUZZ=ON -DLIBFUZZER=ON.
+harnesses, use -DCMAKE_C_FLAGS=-fsanitize=fuzzer-no-link
+-DFUZZ_LDFLAGS=-fsanitize=fuzzer -DFUZZ=ON.
 
 If -DFUZZ=ON is enabled, symbols listed in wrapped.sym are wrapped in the
 resulting shared object. The wrapper functions simulate failure according to a
@@ -21,20 +22,22 @@ To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of
 libcbor and OpenSSL built with the respective sanitiser. In order to keep
 memory utilisation at a manageable level, you can either enforce limits at
 the OS level (e.g. cgroups on Linux), or patch libcbor with the diff below.
+N.B., the patch below is relative to libcbor 0.10.1.
 
 diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c
-index aa049a2..e294b38 100644
+index bbea63c..3f7c9af 100644
 --- src/cbor/internal/memory_utils.c
 +++ src/cbor/internal/memory_utils.c
-@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) {
+@@ -41,7 +41,11 @@ size_t _cbor_safe_signaling_add(size_t a, size_t b) {
  
  void* _cbor_alloc_multiple(size_t item_size, size_t item_count) {
    if (_cbor_safe_to_multiply(item_size, item_count)) {
--    return _CBOR_MALLOC(item_size * item_count);
+-    return _cbor_malloc(item_size * item_count);
 +    if (item_count > 1000) {
 +      return NULL;
-+    } else
-+      return _CBOR_MALLOC(item_size * item_count);
++    } else {
++      return _cbor_malloc(item_size * item_count);
++    }
    } else {
      return NULL;
    }
diff --git a/fuzz/build-coverage b/fuzz/build-coverage
index 8c989fc..6cc5041 100755
--- a/fuzz/build-coverage
+++ b/fuzz/build-coverage
@@ -26,7 +26,9 @@ make -C "${LIBCBOR}/build" VERBOSE=1 all install
 # Build libfido2.
 mkdir -p "${LIBFIDO2}/build"
 export CFLAGS="-fprofile-instr-generate -fcoverage-mapping"
+export CFLAGS="${CFLAGS} -fsanitize=fuzzer-no-link"
 export LDFLAGS="${CFLAGS}"
-(cd "${LIBFIDO2}/build" && cmake -DFUZZ=ON -DLIBFUZZER=ON \
-    -DCMAKE_BUILD_TYPE=Debug ..)
+export FUZZ_LDFLAGS="${LDFLAGS} -fsanitize=fuzzer"
+(cd "${LIBFIDO2}/build" && cmake -DFUZZ=ON -DFUZZ_LDFLAGS="${FUZZ_LDFLAGS}" \
+	-DCMAKE_BUILD_TYPE=Debug ..)
 make -C "${LIBFIDO2}/build"
diff --git a/fuzz/fuzz_assert.c b/fuzz/fuzz_assert.c
index 603957e..9f39f3d 100644
--- a/fuzz/fuzz_assert.c
+++ b/fuzz/fuzz_assert.c
@@ -141,7 +141,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_bio.c b/fuzz/fuzz_bio.c
index 6ebfd15..0c6b12c 100644
--- a/fuzz/fuzz_bio.c
+++ b/fuzz/fuzz_bio.c
@@ -155,7 +155,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_cred.c b/fuzz/fuzz_cred.c
index a0866dc..497298f 100644
--- a/fuzz/fuzz_cred.c
+++ b/fuzz/fuzz_cred.c
@@ -151,7 +151,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_credman.c b/fuzz/fuzz_credman.c
index 1cb95dc..ef21475 100644
--- a/fuzz/fuzz_credman.c
+++ b/fuzz/fuzz_credman.c
@@ -142,7 +142,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_hid.c b/fuzz/fuzz_hid.c
index 27ccb2f..daaadad 100644
--- a/fuzz/fuzz_hid.c
+++ b/fuzz/fuzz_hid.c
@@ -105,7 +105,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_largeblob.c b/fuzz/fuzz_largeblob.c
index 4326296..6cdc0c0 100644
--- a/fuzz/fuzz_largeblob.c
+++ b/fuzz/fuzz_largeblob.c
@@ -119,7 +119,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_mgmt.c b/fuzz/fuzz_mgmt.c
index 6a5e7b6..cbc313d 100644
--- a/fuzz/fuzz_mgmt.c
+++ b/fuzz/fuzz_mgmt.c
@@ -139,7 +139,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_netlink.c b/fuzz/fuzz_netlink.c
index 2fa897e..4d28129 100644
--- a/fuzz/fuzz_netlink.c
+++ b/fuzz/fuzz_netlink.c
@@ -76,7 +76,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/fuzz/fuzz_pcsc.c b/fuzz/fuzz_pcsc.c
index f0f6cca..cf6210b 100644
--- a/fuzz/fuzz_pcsc.c
+++ b/fuzz/fuzz_pcsc.c
@@ -94,7 +94,7 @@ pack(uint8_t *ptr, size_t len, const struct param *p)
 			goto fail;
 
 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
-	    &cbor_alloc_len)) > len) {
+	    &cbor_alloc_len)) == 0 || cbor_len > len) {
 		cbor_len = 0;
 		goto fail;
 	}
diff --git a/man/CMakeLists.txt b/man/CMakeLists.txt
index cf32a3a..a47767f 100644
--- a/man/CMakeLists.txt
+++ b/man/CMakeLists.txt
@@ -59,6 +59,7 @@ list(APPEND MAN_ALIAS
 	es384_pk_new es384_pk_from_EVP_PKEY
 	es384_pk_new es384_pk_from_ptr
 	es384_pk_new es384_pk_to_EVP_PKEY
+	fido_assert_allow_cred fido_assert_empty_allow_list
 	fido_assert_new fido_assert_authdata_len
 	fido_assert_new fido_assert_authdata_ptr
 	fido_assert_new fido_assert_blob_len
@@ -149,6 +150,7 @@ list(APPEND MAN_ALIAS
 	fido_cbor_info_new fido_cbor_info_versions_len
 	fido_cbor_info_new fido_cbor_info_versions_ptr
 	fido_cbor_info_new fido_dev_get_cbor_info
+	fido_cred_exclude fido_cred_empty_exclude_list
 	fido_cred_new fido_cred_aaguid_len
 	fido_cred_new fido_cred_aaguid_ptr
 	fido_cred_new fido_cred_attstmt_len
@@ -295,7 +297,7 @@ endforeach()
 
 # man_html
 foreach(f ${MAN_SOURCES})
-	string(REGEX REPLACE ".[13]" "" g ${f})
+	string(REGEX REPLACE "\\.[13]$" "" g ${f})
 	add_custom_command(OUTPUT ${g}.html
 		COMMAND mandoc -T html -O man="%N.html",style=style.css -I os="Yubico AB" ${f} > ${g}.html
 		DEPENDS ${f})
@@ -304,7 +306,7 @@ endforeach()
 
 # man_html_partial
 foreach(f ${MAN_SOURCES})
-	string(REGEX REPLACE ".[13]" "" g ${f})
+	string(REGEX REPLACE "\\.[13]$" "" g ${f})
 	add_custom_command(OUTPUT ${g}.partial
 		COMMAND cat ${PROJECT_SOURCE_DIR}/man/dyc.css > ${g}.partial
 		COMMAND mandoc -T html -O man="%N.html",fragment ${f} >> ${g}.partial
@@ -357,7 +359,7 @@ if(MANDOC_PATH)
 	install(FILES ${PROJECT_SOURCE_DIR}/man/style.css
 		DESTINATION "${CMAKE_INSTALL_DOCDIR}/html")
 	foreach(f ${MAN_SOURCES})
-		string(REGEX REPLACE ".[13]" "" f ${f})
+		string(REGEX REPLACE "\\.[13]$" "" f ${f})
 		install(FILES ${PROJECT_BINARY_DIR}/man/${f}.html
 			DESTINATION "${CMAKE_INSTALL_DOCDIR}/html")
 	endforeach()
diff --git a/man/fido_assert_allow_cred.3 b/man/fido_assert_allow_cred.3
index 0690efc..6520137 100644
--- a/man/fido_assert_allow_cred.3
+++ b/man/fido_assert_allow_cred.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2018 Yubico AB. All rights reserved.
+.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions are
@@ -25,16 +25,19 @@
 .\"
 .\" SPDX-License-Identifier: BSD-2-Clause
 .\"
-.Dd $Mdocdate: May 23 2018 $
+.Dd $Mdocdate: December 1 2022 $
 .Dt FIDO_ASSERT_ALLOW_CRED 3
 .Os
 .Sh NAME
-.Nm fido_assert_allow_cred
-.Nd allow a credential in a FIDO2 assertion
+.Nm fido_assert_allow_cred ,
+.Nm fido_assert_empty_allow_list
+.Nd manage allow lists in a FIDO2 assertion
 .Sh SYNOPSIS
 .In fido.h
 .Ft int
 .Fn fido_assert_allow_cred "fido_assert_t *assert" "const unsigned char *ptr" "size_t len"
+.Ft int
+.Fn fido_assert_empty_allow_list "fido_assert_t *assert"
 .Sh DESCRIPTION
 The
 .Fn fido_assert_allow_cred
@@ -56,9 +59,16 @@ fails, the existing list of allowed credentials is preserved.
 .Pp
 For the format of a FIDO2 credential ID, please refer to the
 Web Authentication (webauthn) standard.
+.Pp
+The
+.Fn fido_assert_empty_allow_list
+function empties the list of credentials allowed in
+.Fa assert .
 .Sh RETURN VALUES
 The error codes returned by
 .Fn fido_assert_allow_cred
+and
+.Fn fido_assert_empty_allow_list
 are defined in
 .In fido/err.h .
 On success,
diff --git a/man/fido_cred_exclude.3 b/man/fido_cred_exclude.3
index 0d4ba75..d5e840d 100644
--- a/man/fido_cred_exclude.3
+++ b/man/fido_cred_exclude.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2018 Yubico AB. All rights reserved.
+.\" Copyright (c) 2018-2022 Yubico AB. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions are
@@ -25,16 +25,19 @@
 .\"
 .\" SPDX-License-Identifier: BSD-2-Clause
 .\"
-.Dd $Mdocdate: May 23 2018 $
+.Dd $Mdocdate: December 2 2022 $
 .Dt FIDO_CRED_EXCLUDE 3
 .Os
 .Sh NAME
-.Nm fido_cred_exclude
-.Nd appends a credential ID to a credential's list of excluded credentials
+.Nm fido_cred_exclude ,
+.Nm fido_cred_empty_exclude_list
+.Nd manage exclude lists in a FIDO2 credential
 .Sh SYNOPSIS
 .In fido.h
 .Ft int
 .Fn fido_cred_exclude "fido_cred_t *cred" "const unsigned char *ptr" "size_t len"
+.Ft int
+.Fn fido_cred_empty_exclude_list "fido_cred_t *cred"
 .Sh DESCRIPTION
 The
 .Fn fido_cred_exclude
@@ -69,9 +72,16 @@ will fail.
 .Pp
 For the format of a FIDO2 credential ID, please refer to the
 Web Authentication (webauthn) standard.
+.Pp
+The
+.Fn fido_cred_empty_exclude_list
+function empties the list of credentials excluded by
+.Fa cred .
 .Sh RETURN VALUES
 The error codes returned by
 .Fn fido_cred_exclude
+and
+.Fn fido_cred_empty_exclude_list
 are defined in
 .In fido/err.h .
 On success,
diff --git a/src/assert.c b/src/assert.c
index a690f46..dabe8b9 100644
--- a/src/assert.c
+++ b/src/assert.c
@@ -673,7 +673,15 @@ fail:
 	free(id.ptr);
 
 	return (r);
+}
 
+int
+fido_assert_empty_allow_list(fido_assert_t *assert)
+{
+	fido_free_blob_array(&assert->allow_list);
+	memset(&assert->allow_list, 0, sizeof(assert->allow_list));
+
+	return (FIDO_OK);
 }
 
 int
@@ -740,9 +748,8 @@ fido_assert_reset_tx(fido_assert_t *assert)
 	fido_blob_reset(&assert->cd);
 	fido_blob_reset(&assert->cdh);
 	fido_blob_reset(&assert->ext.hmac_salt);
-	fido_free_blob_array(&assert->allow_list);
+	fido_assert_empty_allow_list(assert);
 	memset(&assert->ext, 0, sizeof(assert->ext));
-	memset(&assert->allow_list, 0, sizeof(assert->allow_list));
 	assert->rp_id = NULL;
 	assert->up = FIDO_OPT_OMIT;
 	assert->uv = FIDO_OPT_OMIT;
diff --git a/src/cred.c b/src/cred.c
index 188afe4..4a7a725 100644
--- a/src/cred.c
+++ b/src/cred.c
@@ -562,11 +562,10 @@ fido_cred_reset_tx(fido_cred_t *cred)
 	free(cred->user.icon);
 	free(cred->user.name);
 	free(cred->user.display_name);
-	fido_free_blob_array(&cred->excl);
+	fido_cred_empty_exclude_list(cred);
 
 	memset(&cred->rp, 0, sizeof(cred->rp));
 	memset(&cred->user, 0, sizeof(cred->user));
-	memset(&cred->excl, 0, sizeof(cred->excl));
 	memset(&cred->ext, 0, sizeof(cred->ext));
 
 	cred->type = 0;
@@ -765,6 +764,15 @@ fido_cred_exclude(fido_cred_t *cred, const unsigned char *id_ptr, size_t id_len)
 	return (FIDO_OK);
 }
 
+int
+fido_cred_empty_exclude_list(fido_cred_t *cred)
+{
+	fido_free_blob_array(&cred->excl);
+	memset(&cred->excl, 0, sizeof(cred->excl));
+
+	return (FIDO_OK);
+}
+
 int
 fido_cred_set_clientdata(fido_cred_t *cred, const unsigned char *data,
     size_t data_len)
diff --git a/src/eddsa.c b/src/eddsa.c
index d043f89..bdb53b1 100644
--- a/src/eddsa.c
+++ b/src/eddsa.c
@@ -11,7 +11,7 @@
 #include "fido.h"
 #include "fido/eddsa.h"
 
-#if defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000f
 EVP_PKEY *
 EVP_PKEY_new_raw_public_key(int type, ENGINE *e, const unsigned char *key,
     size_t keylen)
diff --git a/src/export.gnu b/src/export.gnu
index 6916837..604741e 100644
--- a/src/export.gnu
+++ b/src/export.gnu
@@ -25,6 +25,7 @@
 		fido_assert_clientdata_hash_len;
 		fido_assert_clientdata_hash_ptr;
 		fido_assert_count;
+		fido_assert_empty_allow_list;
 		fido_assert_flags;
 		fido_assert_free;
 		fido_assert_hmac_secret_len;
@@ -125,6 +126,7 @@
 		fido_cred_clientdata_hash_len;
 		fido_cred_clientdata_hash_ptr;
 		fido_cred_display_name;
+		fido_cred_empty_exclude_list;
 		fido_cred_exclude;
 		fido_cred_flags;
 		fido_cred_largeblob_key_len;
diff --git a/src/export.llvm b/src/export.llvm
index bd21fb4..0be8295 100644
--- a/src/export.llvm
+++ b/src/export.llvm
@@ -23,6 +23,7 @@ _fido_assert_blob_ptr
 _fido_assert_clientdata_hash_len
 _fido_assert_clientdata_hash_ptr
 _fido_assert_count
+_fido_assert_empty_allow_list
 _fido_assert_flags
 _fido_assert_free
 _fido_assert_hmac_secret_len
@@ -123,6 +124,7 @@ _fido_cred_authdata_raw_ptr
 _fido_cred_clientdata_hash_len
 _fido_cred_clientdata_hash_ptr
 _fido_cred_display_name
+_fido_cred_empty_exclude_list
 _fido_cred_exclude
 _fido_cred_flags
 _fido_cred_largeblob_key_len
diff --git a/src/export.msvc b/src/export.msvc
index 55147f9..10f8bd1 100644
--- a/src/export.msvc
+++ b/src/export.msvc
@@ -24,6 +24,7 @@ fido_assert_blob_ptr
 fido_assert_clientdata_hash_len
 fido_assert_clientdata_hash_ptr
 fido_assert_count
+fido_assert_empty_allow_list
 fido_assert_flags
 fido_assert_free
 fido_assert_hmac_secret_len
@@ -124,6 +125,7 @@ fido_cred_authdata_raw_ptr
 fido_cred_clientdata_hash_len
 fido_cred_clientdata_hash_ptr
 fido_cred_display_name
+fido_cred_empty_exclude_list
 fido_cred_exclude
 fido_cred_flags
 fido_cred_largeblob_key_len
diff --git a/src/fido.h b/src/fido.h
index ce7da16..607c44f 100644
--- a/src/fido.h
+++ b/src/fido.h
@@ -124,6 +124,7 @@ const unsigned char *fido_cred_user_id_ptr(const fido_cred_t *);
 const unsigned char *fido_cred_x5c_ptr(const fido_cred_t *);
 
 int fido_assert_allow_cred(fido_assert_t *, const unsigned char *, size_t);
+int fido_assert_empty_allow_list(fido_assert_t *);
 int fido_assert_set_authdata(fido_assert_t *, size_t, const unsigned char *,
     size_t);
 int fido_assert_set_authdata_raw(fido_assert_t *, size_t, const unsigned char *,
@@ -143,6 +144,7 @@ int fido_assert_set_uv(fido_assert_t *, fido_opt_t);
 int fido_assert_set_sig(fido_assert_t *, size_t, const unsigned char *, size_t);
 int fido_assert_verify(const fido_assert_t *, size_t, int, const void *);
 int fido_cbor_info_algorithm_cose(const fido_cbor_info_t *, size_t);
+int fido_cred_empty_exclude_list(fido_cred_t *);
 int fido_cred_exclude(fido_cred_t *, const unsigned char *, size_t);
 int fido_cred_prot(const fido_cred_t *);
 int fido_cred_set_attstmt(fido_cred_t *, const unsigned char *, size_t);
diff --git a/src/fido/eddsa.h b/src/fido/eddsa.h
index 7981a6f..5c0b681 100644
--- a/src/fido/eddsa.h
+++ b/src/fido/eddsa.h
@@ -53,7 +53,7 @@ int eddsa_pk_from_ptr(eddsa_pk_t *, const void *, size_t);
 
 #ifdef _FIDO_INTERNAL
 
-#if defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000f
 #define EVP_PKEY_ED25519 EVP_PKEY_NONE
 int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *);
 EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *,
diff --git a/src/tpm.c b/src/tpm.c
index 69c48c3..3e09bca 100644
--- a/src/tpm.c
+++ b/src/tpm.c
@@ -48,7 +48,7 @@ struct tpm_sha256_digest {
 /* Part 2, 10.4.3: TPM2B_DATA */
 PACKED_TYPE(tpm_sha1_data_t,
 struct tpm_sha1_data {
-	uint16_t size; /* sizeof(body */
+	uint16_t size; /* sizeof(body) */
 	uint8_t  body[20];
 })
 
diff --git a/src/winhello.c b/src/winhello.c
index e0453cb..efc7dc2 100644
--- a/src/winhello.c
+++ b/src/winhello.c
@@ -85,7 +85,7 @@ webauthn_load(void)
 		fido_log_debug("%s: already loaded", __func__);
 		return -1;
 	}
-	if ((webauthn_handle = LoadLibrary("webauthn.dll")) == NULL) {
+	if ((webauthn_handle = LoadLibrary(TEXT("webauthn.dll"))) == NULL) {
 		fido_log_debug("%s: LoadLibrary", __func__);
 		return -1;
 	}
@@ -472,12 +472,8 @@ unpack_assert_authdata(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 {
 	int r;
 
-	if (wa->cbAuthenticatorData > SIZE_MAX) {
-		fido_log_debug("%s: cbAuthenticatorData", __func__);
-		return -1;
-	}
 	if ((r = fido_assert_set_authdata_raw(assert, 0, wa->pbAuthenticatorData,
-	    (size_t)wa->cbAuthenticatorData)) != FIDO_OK) {
+	    wa->cbAuthenticatorData)) != FIDO_OK) {
 		fido_log_debug("%s: fido_assert_set_authdata_raw: %s", __func__,
 		    fido_strerr(r));
 		return -1;
@@ -491,12 +487,8 @@ unpack_assert_sig(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 {
 	int r;
 
-	if (wa->cbSignature > SIZE_MAX) {
-		fido_log_debug("%s: cbSignature", __func__);
-		return -1;
-	}
 	if ((r = fido_assert_set_sig(assert, 0, wa->pbSignature,
-	    (size_t)wa->cbSignature)) != FIDO_OK) {
+	    wa->cbSignature)) != FIDO_OK) {
 		fido_log_debug("%s: fido_assert_set_sig: %s", __func__,
 		    fido_strerr(r));
 		return -1;
@@ -508,12 +500,8 @@ unpack_assert_sig(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 static int
 unpack_cred_id(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 {
-	if (wa->Credential.cbId > SIZE_MAX) {
-		fido_log_debug("%s: Credential.cbId", __func__);
-		return -1;
-	}
 	if (fido_blob_set(&assert->stmt[0].id, wa->Credential.pbId,
-	    (size_t)wa->Credential.cbId) < 0) {
+	    wa->Credential.cbId) < 0) {
 		fido_log_debug("%s: fido_blob_set", __func__);
 		return -1;
 	}
@@ -526,12 +514,8 @@ unpack_user_id(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 {
 	if (wa->cbUserId == 0)
 		return 0; /* user id absent */
-	if (wa->cbUserId > SIZE_MAX) {
-		fido_log_debug("%s: cbUserId", __func__);
-		return -1;
-	}
 	if (fido_blob_set(&assert->stmt[0].user.id, wa->pbUserId,
-	    (size_t)wa->cbUserId) < 0) {
+	    wa->cbUserId) < 0) {
 		fido_log_debug("%s: fido_blob_set", __func__);
 		return -1;
 	}
@@ -549,7 +533,6 @@ unpack_hmac_secret(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 	}
 	if (wa->pHmacSecret == NULL ||
 	    wa->pHmacSecret->cbFirst == 0 ||
-	    wa->pHmacSecret->cbFirst > SIZE_MAX ||
 	    wa->pHmacSecret->pbFirst == NULL) {
 		fido_log_debug("%s: hmac-secret absent", __func__);
 		return 0; /* proceed without hmac-secret */
@@ -564,7 +547,7 @@ unpack_hmac_secret(fido_assert_t *assert, const WEBAUTHN_ASSERTION *wa)
 		return -1;
 	}
 	if (fido_blob_set(&assert->stmt[0].hmac_secret,
-	    wa->pHmacSecret->pbFirst, (size_t)wa->pHmacSecret->cbFirst) < 0) {
+	    wa->pHmacSecret->pbFirst, wa->pHmacSecret->cbFirst) < 0) {
 		fido_log_debug("%s: fido_blob_set", __func__);
 		return -1;
 	}
@@ -752,13 +735,12 @@ translate_winhello_cred(fido_cred_t *cred,
 	struct cbor_load_result cbor;
 	int r = FIDO_ERR_INTERNAL;
 
-	if (att->pbAttestationObject == NULL ||
-	    att->cbAttestationObject > SIZE_MAX) {
+	if (att->pbAttestationObject == NULL) {
 		fido_log_debug("%s: pbAttestationObject", __func__);
 		goto fail;
 	}
 	if ((item = cbor_load(att->pbAttestationObject,
-	    (size_t)att->cbAttestationObject, &cbor)) == NULL) {
+	    att->cbAttestationObject, &cbor)) == NULL) {
 		fido_log_debug("%s: cbor_load", __func__);
 		goto fail;
 	}
diff --git a/tools/largeblob.c b/tools/largeblob.c
index 00cf79e..78b97ab 100644
--- a/tools/largeblob.c
+++ b/tools/largeblob.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 Yubico AB. All rights reserved.
+ * Copyright (c) 2020-2022 Yubico AB. All rights reserved.
  * Use of this source code is governed by a BSD-style
  * license that can be found in the LICENSE file.
  * SPDX-License-Identifier: BSD-2-Clause
@@ -25,6 +25,8 @@
 #include "../openbsd-compat/openbsd-compat.h"
 #include "extern.h"
 
+#define BOUND (1024UL * 1024UL)
+
 struct rkmap {
 	fido_credman_rp_t  *rp; /* known rps */
 	fido_credman_rk_t **rk; /* rk per rp */
@@ -303,34 +305,56 @@ out:
 }
 
 static int
-decompress(const struct blob *plaintext, uint64_t origsiz)
+try_decompress(const struct blob *in, uint64_t origsiz, int wbits)
 {
-	struct blob inflated;
-	u_long ilen, plen;
+	struct blob out;
+	z_stream zs;
+	u_int ilen, olen;
 	int ok = -1;
 
-	memset(&inflated, 0, sizeof(inflated));
+	memset(&zs, 0, sizeof(zs));
+	memset(&out, 0, sizeof(out));
 
-	if (plaintext->len > ULONG_MAX)
+	if (in->len > UINT_MAX || (ilen = (u_int)in->len) > BOUND)
 		return -1;
-	if (origsiz > ULONG_MAX || origsiz > SIZE_MAX)
+	if (origsiz > SIZE_MAX || origsiz > UINT_MAX ||
+	    (olen = (u_int)origsiz) > BOUND)
 		return -1;
-	plen = (u_long)plaintext->len;
-	ilen = (u_long)origsiz;
-	inflated.len = (size_t)origsiz;
-	if ((inflated.ptr = calloc(1, inflated.len)) == NULL)
+	if (inflateInit2(&zs, wbits) != Z_OK)
 		return -1;
-	if (uncompress(inflated.ptr, &ilen, plaintext->ptr, plen) != Z_OK ||
-	    ilen > SIZE_MAX || (size_t)ilen != (size_t)origsiz)
-		goto out;
 
-	ok = 0; /* success */
-out:
-	freezero(inflated.ptr, inflated.len);
+	if ((out.ptr = calloc(1, olen)) == NULL)
+		goto fail;
+
+	out.len = olen;
+	zs.next_in = in->ptr;
+	zs.avail_in = ilen;
+	zs.next_out = out.ptr;
+	zs.avail_out = olen;
+
+	if (inflate(&zs, Z_FINISH) != Z_STREAM_END)
+		goto fail;
+	if (zs.avail_out != 0)
+		goto fail;
+
+	ok = 0;
+fail:
+	if (inflateEnd(&zs) != Z_OK)
+		ok = -1;
+
+	freezero(out.ptr, out.len);
 
 	return ok;
 }
 
+static int
+decompress(const struct blob *plaintext, uint64_t origsiz)
+{
+	if (try_decompress(plaintext, origsiz, MAX_WBITS) == 0) /* rfc1950 */
+		return 0;
+	return try_decompress(plaintext, origsiz, -MAX_WBITS); /* rfc1951 */
+}
+
 static int
 decode(const struct blob *ciphertext, const struct blob *nonce,
     uint64_t origsiz, const fido_cred_t *cred)
diff --git a/udev/70-u2f.rules b/udev/70-u2f.rules
index 913bef2..c443f75 100644
--- a/udev/70-u2f.rules
+++ b/udev/70-u2f.rules
@@ -216,6 +216,9 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2ccf", ATTRS{idProduct
 # TrustKey Solutions FIDO2 G310 by eWBM Co., Ltd.
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a", TAG+="uaccess", GROUP="plugdev", MODE="0660"
 
+# TrustKey Solutions FIDO2 G310H/G320H by eWBM Co., Ltd.
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a2a", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
 # TrustKey Solutions FIDO2 G320 by eWBM Co., Ltd.
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4c2a", TAG+="uaccess", GROUP="plugdev", MODE="0660"
 
diff --git a/udev/fidodevs b/udev/fidodevs
index d8a80fc..196e92f 100644
--- a/udev/fidodevs
+++ b/udev/fidodevs
@@ -115,6 +115,7 @@ product LEDGER		0x4015	Ledger Nano X Legacy
 product HYPERSECU	0x0880	Hypersecu HyperFIDO
 
 product EWBM		0x4a1a	TrustKey Solutions FIDO2 G310
+product EWBM		0x4a2a	TrustKey Solutions FIDO2 G310H/G320H
 product EWBM		0x4c2a	TrustKey Solutions FIDO2 G320
 product EWBM		0x5c2f	eWBM FIDO2 Goldengate G500
 product EWBM		0xa6e9	TrustKey Solutions FIDO2 T120
diff --git a/windows/build.ps1 b/windows/build.ps1
index 4c3a969..52a1d66 100644
--- a/windows/build.ps1
+++ b/windows/build.ps1
@@ -163,8 +163,8 @@ try {
 	& $CMake ..\..\..\${LIBCBOR} -A "${Arch}" `
 	    -DWITH_EXAMPLES=OFF `
 	    -DBUILD_SHARED_LIBS="${SHARED}" `
-	    -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG}" `
-	    -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE}" `
+	    -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG} /wd4703" `
+	    -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE} /wd4703" `
 	    -DCMAKE_INSTALL_PREFIX="${PREFIX}" "${CMAKE_SYSTEM_VERSION}"; `
 	    ExitOnError
 	& $CMake --build . --config ${Config} --verbose; ExitOnError
@@ -219,6 +219,7 @@ try {
 	    -DCRYPTO_INCLUDE_DIRS="${PREFIX}\include" `
 	    -DCRYPTO_LIBRARY_DIRS="${PREFIX}\lib" `
 	    -DCRYPTO_BIN_DIRS="${PREFIX}\bin" `
+	    -DCRYPTO_LIBRARIES="${CRYPTO_LIBRARIES}" `
 	    -DCMAKE_C_FLAGS_DEBUG="${CFLAGS_DEBUG} ${Fido2Flags}" `
 	    -DCMAKE_C_FLAGS_RELEASE="${CFLAGS_RELEASE} ${Fido2Flags}" `
 	    -DCMAKE_INSTALL_PREFIX="${PREFIX}" "${CMAKE_SYSTEM_VERSION}"; `
@@ -230,7 +231,7 @@ try {
 	    ExitOnError
 	# Copy DLLs.
 	if ("${SHARED}" -eq "ON") {
-		"cbor.dll", "crypto-49.dll", "zlib1.dll" | `
+		"cbor.dll", "${CRYPTO_LIBRARIES}.dll", "zlib1.dll" | `
 		    %{ Copy-Item "${PREFIX}\bin\$_" `
 		    -Destination "examples\${Config}" }
 	}
diff --git a/windows/const.ps1 b/windows/const.ps1
index 31426e9..f657846 100644
--- a/windows/const.ps1
+++ b/windows/const.ps1
@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Yubico AB. All rights reserved.
+# Copyright (c) 2021-2023 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -7,17 +7,18 @@
 New-Variable -Name 'LIBRESSL_URL' `
     -Value 'https://fastly.cdn.openbsd.org/pub/OpenBSD/LibreSSL' `
     -Option Constant
-New-Variable -Name 'LIBRESSL' -Value 'libressl-3.5.3' -Option Constant
+New-Variable -Name 'LIBRESSL' -Value 'libressl-3.6.2' -Option Constant
+New-Variable -Name 'CRYPTO_LIBRARIES' -Value 'crypto-50' -Option Constant
 
 # libcbor coordinates.
-New-Variable -Name 'LIBCBOR' -Value 'libcbor-0.9.0' -Option Constant
-New-Variable -Name 'LIBCBOR_BRANCH' -Value 'v0.9.0' -Option Constant
+New-Variable -Name 'LIBCBOR' -Value 'libcbor-0.10.1' -Option Constant
+New-Variable -Name 'LIBCBOR_BRANCH' -Value 'v0.10.1' -Option Constant
 New-Variable -Name 'LIBCBOR_GIT' -Value 'https://github.com/pjk/libcbor' `
     -Option Constant
 
 # zlib coordinates.
-New-Variable -Name 'ZLIB' -Value 'zlib-1.2.12' -Option Constant
-New-Variable -Name 'ZLIB_BRANCH' -Value 'v1.2.12' -Option Constant
+New-Variable -Name 'ZLIB' -Value 'zlib-1.2.13' -Option Constant
+New-Variable -Name 'ZLIB_BRANCH' -Value 'v1.2.13' -Option Constant
 New-Variable -Name 'ZLIB_GIT' -Value 'https://github.com/madler/zlib' `
     -Option Constant
 
diff --git a/windows/release.ps1 b/windows/release.ps1
index 423ec20..cc5f635 100644
--- a/windows/release.ps1
+++ b/windows/release.ps1
@@ -8,7 +8,6 @@ $Architectures = @('x64', 'Win32', 'ARM64', 'ARM')
 $InstallPrefixes =  @('Win64', 'Win32', 'ARM64', 'ARM')
 $Types = @('dynamic', 'static')
 $Config = 'Release'
-$LibCrypto = '49'
 $SDK = '143'
 
 . "$PSScriptRoot\const.ps1"
@@ -36,8 +35,8 @@ Function Package-Dynamic(${SRC}, ${DEST}) {
 	Copy-Item "${SRC}\lib\cbor.lib" "${DEST}"
 	Copy-Item "${SRC}\bin\zlib1.dll" "${DEST}"
 	Copy-Item "${SRC}\lib\zlib1.lib" "${DEST}"
-	Copy-Item "${SRC}\bin\crypto-${LibCrypto}.dll" "${DEST}"
-	Copy-Item "${SRC}\lib\crypto-${LibCrypto}.lib" "${DEST}"
+	Copy-Item "${SRC}\bin\${CRYPTO_LIBRARIES}.dll" "${DEST}"
+	Copy-Item "${SRC}\lib\${CRYPTO_LIBRARIES}.lib" "${DEST}"
 	Copy-Item "${SRC}\bin\fido2.dll" "${DEST}"
 	Copy-Item "${SRC}\lib\fido2.lib" "${DEST}"
 }
@@ -45,13 +44,13 @@ Function Package-Dynamic(${SRC}, ${DEST}) {
 Function Package-Static(${SRC}, ${DEST}) {
 	Copy-Item "${SRC}/lib/cbor.lib" "${DEST}"
 	Copy-Item "${SRC}/lib/zlib1.lib" "${DEST}"
-	Copy-Item "${SRC}/lib/crypto-${LibCrypto}.lib" "${DEST}"
+	Copy-Item "${SRC}/lib/${CRYPTO_LIBRARIES}.lib" "${DEST}"
 	Copy-Item "${SRC}/lib/fido2_static.lib" "${DEST}/fido2.lib"
 }
 
 Function Package-PDBs(${SRC}, ${DEST}) {
 	Copy-Item "${SRC}\${LIBRESSL}\crypto\crypto_obj.dir\${Config}\crypto_obj.pdb" `
-	    "${DEST}\crypto-${LibCrypto}.pdb"
+	    "${DEST}\${CRYPTO_LIBRARIES}.pdb"
 	Copy-Item "${SRC}\${LIBCBOR}\src\cbor.dir\${Config}\vc${SDK}.pdb" `
 	    "${DEST}\cbor.pdb"
 	Copy-Item "${SRC}\${ZLIB}\zlib.dir\${Config}\vc${SDK}.pdb" `
@@ -62,7 +61,7 @@ Function Package-PDBs(${SRC}, ${DEST}) {
 
 Function Package-StaticPDBs(${SRC}, ${DEST}) {
 	Copy-Item "${SRC}\${LIBRESSL}\crypto\crypto_obj.dir\${Config}\crypto_obj.pdb" `
-	    "${DEST}\crypto-${LibCrypto}.pdb"
+	    "${DEST}\${CRYPTO_LIBRARIES}.pdb"
 	Copy-Item "${SRC}\${LIBCBOR}\src\${Config}\cbor.pdb" `
 	    "${DEST}\cbor.pdb"
 	Copy-Item "${SRC}\${ZLIB}\${Config}\zlibstatic.pdb" `

More details

Full run details

Historical runs