git: 079a1c2059e7 - stable/13 - libfido2: update to 1.10.0

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Fri, 21 Jul 2023 15:38:39 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=079a1c2059e7cc19360ff6840317efefdff876a1

commit 079a1c2059e7cc19360ff6840317efefdff876a1
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-05-05 23:57:34 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-07-21 14:41:42 +0000

    libfido2: update to 1.10.0
    
    Some highlights from NEWS:
    
     ** bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*();
        gh#480.
     ** New API calls:
      - fido_dev_info_set;
      - fido_dev_io_handle;
      - fido_dev_new_with_info;
      - fido_dev_open_with_info.
     ** Documentation and reliability fixes.
     ** Support for TPM 2.0 attestation of COSE_ES256 credentials.
    
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 3e696dfb7009cd8ffa12e36f48f4339bb7a2048d)
---
 contrib/libfido2/CMakeLists.txt                  |  47 +-
 contrib/libfido2/LICENSE                         |   2 +-
 contrib/libfido2/NEWS                            |  14 +
 contrib/libfido2/README.adoc                     |   4 +-
 contrib/libfido2/SECURITY.md                     |   5 +
 contrib/libfido2/examples/README.adoc            |   2 +-
 contrib/libfido2/fuzz/Dockerfile                 |   2 +-
 contrib/libfido2/fuzz/Makefile                   |   2 +-
 contrib/libfido2/fuzz/export.gnu                 |   1 +
 contrib/libfido2/fuzz/functions.txt              |  35 +-
 contrib/libfido2/fuzz/fuzz_hid.c                 |  11 +-
 contrib/libfido2/fuzz/report.tgz                 | Bin 320981 -> 323706 bytes
 contrib/libfido2/fuzz/summary.txt                |  14 +-
 contrib/libfido2/man/CMakeLists.txt              |  17 +-
 contrib/libfido2/man/check.sh                    |  42 ++
 contrib/libfido2/man/eddsa_pk_new.3              |   4 +-
 contrib/libfido2/man/es256_pk_new.3              |   8 +-
 contrib/libfido2/man/fido2-assert.1              |   6 +-
 contrib/libfido2/man/fido2-cred.1                |   6 +-
 contrib/libfido2/man/fido2-token.1               |  24 +-
 contrib/libfido2/man/fido_assert_allow_cred.3    |   4 +-
 contrib/libfido2/man/fido_assert_new.3           |  95 ++--
 contrib/libfido2/man/fido_assert_set_authdata.3  |  57 ++-
 contrib/libfido2/man/fido_assert_verify.3        |   6 +-
 contrib/libfido2/man/fido_bio_dev_get_info.3     |   2 +-
 contrib/libfido2/man/fido_bio_enroll_new.3       |   4 +-
 contrib/libfido2/man/fido_bio_info_new.3         |   2 +-
 contrib/libfido2/man/fido_bio_template.3         |   4 +-
 contrib/libfido2/man/fido_cbor_info_new.3        |   3 +-
 contrib/libfido2/man/fido_cred_exclude.3         |   2 +-
 contrib/libfido2/man/fido_cred_new.3             |  10 +-
 contrib/libfido2/man/fido_cred_set_authdata.3    |  20 +-
 contrib/libfido2/man/fido_cred_verify.3          |  44 +-
 contrib/libfido2/man/fido_credman_metadata_new.3 |   6 +-
 contrib/libfido2/man/fido_dev_enable_entattest.3 |   6 +-
 contrib/libfido2/man/fido_dev_get_assert.3       |   6 +-
 contrib/libfido2/man/fido_dev_get_touch_begin.3  |   4 +-
 contrib/libfido2/man/fido_dev_info_manifest.3    |  41 +-
 contrib/libfido2/man/fido_dev_largeblob_get.3    |  10 +-
 contrib/libfido2/man/fido_dev_make_cred.3        |   6 +-
 contrib/libfido2/man/fido_dev_open.3             |  71 ++-
 contrib/libfido2/man/fido_dev_set_io_functions.3 |  81 +++-
 contrib/libfido2/man/fido_dev_set_pin.3          |   2 +-
 contrib/libfido2/man/fido_init.3                 |  28 +-
 contrib/libfido2/man/fido_strerr.3               |   2 +-
 contrib/libfido2/man/rs256_pk_new.3              |   4 +-
 contrib/libfido2/regress/cred.c                  | 576 ++++++++++++++++++++++-
 contrib/libfido2/src/CMakeLists.txt              |   2 +-
 contrib/libfido2/src/bio.c                       |   4 +-
 contrib/libfido2/src/cbor.c                      |   1 -
 contrib/libfido2/src/dev.c                       |   7 +
 contrib/libfido2/src/eddsa.c                     |   6 +-
 contrib/libfido2/src/export.gnu                  |   4 +
 contrib/libfido2/src/export.llvm                 |   4 +
 contrib/libfido2/src/export.msvc                 |   4 +
 contrib/libfido2/src/extern.h                    |   1 -
 contrib/libfido2/src/fido.h                      |   8 +-
 contrib/libfido2/src/fido/types.h                |   4 +-
 contrib/libfido2/src/hid.c                       |  56 ++-
 contrib/libfido2/src/hid_osx.c                   |  62 ++-
 contrib/libfido2/src/hid_win.c                   |   2 +-
 contrib/libfido2/src/tpm.c                       | 144 +++++-
 contrib/libfido2/src/webauthn.h                  |  88 +++-
 contrib/libfido2/src/winhello.c                  | 171 ++++---
 contrib/libfido2/tools/test.sh                   |   6 +-
 contrib/libfido2/windows/build.ps1               |   2 +-
 contrib/libfido2/windows/const.ps1               |   6 +-
 contrib/libfido2/windows/cygwin.gpg              | Bin 0 -> 2193 bytes
 contrib/libfido2/windows/cygwin.ps1              |  68 +++
 contrib/libfido2/windows/release.ps1             |  19 +-
 lib/libfido2/Makefile                            |   2 +-
 71 files changed, 1639 insertions(+), 374 deletions(-)

diff --git a/contrib/libfido2/CMakeLists.txt b/contrib/libfido2/CMakeLists.txt
index d775a98c5b48..11a51ac5a645 100644
--- a/contrib/libfido2/CMakeLists.txt
+++ b/contrib/libfido2/CMakeLists.txt
@@ -9,7 +9,7 @@ project(libfido2 C)
 cmake_minimum_required(VERSION 3.0)
 # Set PIE flags for POSITION_INDEPENDENT_CODE targets, added in CMake 3.14.
 if(POLICY CMP0083)
-  cmake_policy(SET CMP0083 NEW)
+	cmake_policy(SET CMP0083 NEW)
 endif()
 
 include(CheckCCompilerFlag)
@@ -21,14 +21,14 @@ include(CheckTypeSize)
 include(GNUInstallDirs)
 include(CheckPIESupported OPTIONAL RESULT_VARIABLE CHECK_PIE_SUPPORTED)
 if(CHECK_PIE_SUPPORTED)
-  check_pie_supported(LANGUAGES C)
+	check_pie_supported(LANGUAGES C)
 endif()
 
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(CMAKE_COLOR_MAKEFILE OFF)
 set(CMAKE_VERBOSE_MAKEFILE ON)
 set(FIDO_MAJOR "1")
-set(FIDO_MINOR "9")
+set(FIDO_MINOR "10")
 set(FIDO_PATCH "0")
 set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
 
@@ -40,16 +40,15 @@ option(BUILD_TOOLS       "Build tool programs"                     ON)
 option(FUZZ              "Enable fuzzing instrumentation"          OFF)
 option(LIBFUZZER         "Build libfuzzer harnesses"               OFF)
 option(USE_HIDAPI        "Use hidapi as the HID backend"           OFF)
-option(USE_WINHELLO      "Abstract Windows Hello as a FIDO device" OFF)
-option(NFC_LINUX         "Experimental NFC support on Linux"       OFF)
+option(USE_WINHELLO      "Abstract Windows Hello as a FIDO device" ON)
+option(NFC_LINUX         "Enable NFC support on Linux"             ON)
 
 add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR})
 add_definitions(-D_FIDO_MINOR=${FIDO_MINOR})
 add_definitions(-D_FIDO_PATCH=${FIDO_PATCH})
 
-if(CYGWIN OR MSYS)
+if(CYGWIN OR MSYS OR MINGW)
 	set(WIN32 1)
-	add_definitions(-DWINVER=0x0a00)
 endif()
 
 if(WIN32)
@@ -68,12 +67,13 @@ if(NOT MSVC)
 		set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_DARWIN_C_SOURCE")
 		set(FIDO_CFLAGS "${FIDO_CFLAGS} -D__STDC_WANT_LIB_EXT1__=1")
 	elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
-		set(NFC_LINUX ON)
 		set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_GNU_SOURCE")
 		set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_DEFAULT_SOURCE")
 	elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD" OR
 	    CMAKE_SYSTEM_NAME STREQUAL "MidnightBSD")
 		set(FIDO_CFLAGS "${FIDO_CFLAGS} -D__BSD_VISIBLE=1")
+	elseif(CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
+		set(FIDO_CFLAGS "${FIDO_CFLAGS} -D_NETBSD_SOURCE")
 	endif()
 	set(FIDO_CFLAGS "${FIDO_CFLAGS} -std=c99")
 	set(CMAKE_C_FLAGS "${FIDO_CFLAGS} ${CMAKE_C_FLAGS}")
@@ -167,12 +167,13 @@ if(MSVC)
 	endif()
 	set(CBOR_LIBRARIES cbor)
 	set(ZLIB_LIBRARIES zlib)
-	set(CRYPTO_LIBRARIES crypto-46)
+	set(CRYPTO_LIBRARIES crypto-47)
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4152" # nonstandard extension used: function/data pointer
 			# conversion in expression;
 		"C4200" # nonstandard extension used: zero-sized array in
 			# struct/union;
+		"C4201" # nonstandard extension used: nameless struct/union;
 		"C4204" # nonstandard extension used: non-constant aggregate
 			# initializer;
 		"C4706" # assignment within conditional expression;
@@ -188,8 +189,10 @@ if(MSVC)
 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 -WX ${MSVC_DISABLED_WARNINGS_STR}")
 	set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} /Od /Z7 /guard:cf /sdl /RTCcsu")
 	set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} /Zi /guard:cf /sdl")
-	add_definitions(-DUSE_WINHELLO)
-	set(USE_WINHELLO ON)
+	if(USE_WINHELLO)
+		add_definitions(-DUSE_WINHELLO)
+	endif()
+	set(NFC_LINUX OFF)
 else()
 	include(FindPkgConfig)
 	pkg_search_module(CBOR libcbor)
@@ -223,6 +226,8 @@ else()
 				set(BASE_LIBRARIES ${BASE_LIBRARIES} rt)
 			endif()
 		endif()
+	else()
+		set(NFC_LINUX OFF)
 	endif()
 
 	if(MINGW)
@@ -238,14 +243,18 @@ else()
 		set(HIDAPI_LIBRARIES hidapi${HIDAPI_SUFFIX})
 	endif()
 
-	if(FUZZ)
-		set(NFC_LINUX ON)
-	endif()
-
 	if(NFC_LINUX)
 		add_definitions(-DNFC_LINUX)
 	endif()
 
+	if(WIN32)
+		if(USE_WINHELLO)
+			add_definitions(-DUSE_WINHELLO)
+		endif()
+	else()
+		set(USE_WINHELLO OFF)
+	endif()
+
 	add_compile_options(-Wall)
 	add_compile_options(-Wextra)
 	add_compile_options(-Werror)
@@ -257,6 +266,10 @@ else()
 	add_compile_options(-pedantic)
 	add_compile_options(-pedantic-errors)
 
+	if(WIN32)
+		add_compile_options(-Wno-type-limits)
+		add_compile_options(-Wno-cast-function-type)
+	endif()
 	if(HAVE_SHORTEN_64_TO_32)
 		add_compile_options(-Wshorten-64-to-32)
 	endif()
@@ -306,10 +319,10 @@ elseif(NOT MSVC)
 	# clang/gcc + gnu ld
 	if(FUZZ)
 		string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS}
-                    " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/export.gnu")
+		    " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/export.gnu")
 	else()
 		string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS}
-                    " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/src/export.gnu")
+		    " -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/src/export.gnu")
 	endif()
 	if(NOT WIN32)
 		string(CONCAT CMAKE_SHARED_LINKER_FLAGS
diff --git a/contrib/libfido2/LICENSE b/contrib/libfido2/LICENSE
index 4224f20992c0..75a03f87e3af 100644
--- a/contrib/libfido2/LICENSE
+++ b/contrib/libfido2/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2018-2021 Yubico AB. All rights reserved.
+Copyright (c) 2018-2022 Yubico AB. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
diff --git a/contrib/libfido2/NEWS b/contrib/libfido2/NEWS
index 04cda4e0e83a..a48b685156c1 100644
--- a/contrib/libfido2/NEWS
+++ b/contrib/libfido2/NEWS
@@ -1,3 +1,17 @@
+* Version 1.10.0 (2022-01-17)
+ ** hid_osx: handle devices with paths > 511 bytes; gh#462.
+ ** bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
+ ** winhello: fallback to GetTopWindow() if GetForegroundWindow() fails.
+ ** winhello: fallback to hid_win.c if webauthn.dll isn't available.
+ ** New API calls:
+  - fido_dev_info_set;
+  - fido_dev_io_handle;
+  - fido_dev_new_with_info;
+  - fido_dev_open_with_info.
+ ** Cygwin and NetBSD build fixes.
+ ** Documentation and reliability fixes.
+ ** Support for TPM 2.0 attestation of COSE_ES256 credentials.
+
 * Version 1.9.0 (2021-10-27)
  ** Enabled NFC support on Linux.
  ** Added OpenSSL 3.0 compatibility.
diff --git a/contrib/libfido2/README.adoc b/contrib/libfido2/README.adoc
index a0e188bf8774..114cc5eed762 100644
--- a/contrib/libfido2/README.adoc
+++ b/contrib/libfido2/README.adoc
@@ -10,7 +10,7 @@ image:https://oss-fuzz-build-logs.storage.googleapis.com/badges/libfido2.svg["Fu
 communicate with a FIDO device over USB, and to verify attestation and
 assertion signatures.
 
-*libfido2* supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.
+*libfido2* supports the FIDO U2F (CTAP 1) and FIDO2 (CTAP 2) protocols.
 
 For usage, see the `examples/` directory.
 
@@ -42,7 +42,7 @@ is also available.
 
 ==== Releases
 
-The current release of *libfido2* is 1.9.0. Please consult Yubico's
+The current release of *libfido2* is 1.10.0. Please consult Yubico's
 https://developers.yubico.com/libfido2/Releases[release page] for source
 and binary releases.
 
diff --git a/contrib/libfido2/SECURITY.md b/contrib/libfido2/SECURITY.md
new file mode 100644
index 000000000000..e12a48a847ba
--- /dev/null
+++ b/contrib/libfido2/SECURITY.md
@@ -0,0 +1,5 @@
+# Reporting libfido2 Security Issues
+
+To report security issues in libfido2, please contact security@yubico.com.
+A PGP public key can be found at
+https://www.yubico.com/support/security-advisories/issue-rating-system/.
diff --git a/contrib/libfido2/examples/README.adoc b/contrib/libfido2/examples/README.adoc
index bcecb22f5258..44ee52743a0d 100644
--- a/contrib/libfido2/examples/README.adoc
+++ b/contrib/libfido2/examples/README.adoc
@@ -25,7 +25,7 @@ The following definitions are used in the description below:
 
 - <blobkey>
 
-	A credential's associated FIDO 2.1 "largeBlob" symmetric key.
+	A credential's associated CTAP 2.1 "largeBlob" symmetric key.
 
 === Description
 
diff --git a/contrib/libfido2/fuzz/Dockerfile b/contrib/libfido2/fuzz/Dockerfile
index f175991d0462..aefe1980ada4 100644
--- a/contrib/libfido2/fuzz/Dockerfile
+++ b/contrib/libfido2/fuzz/Dockerfile
@@ -7,6 +7,6 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
 RUN apt-get install -y clang-12 cmake git libssl-dev libudev-dev make pkg-config
 RUN apt-get install -y zlib1g-dev
-RUN git clone --branch v0.8.0 https://github.com/PJK/libcbor
+RUN git clone --branch v0.9.0 https://github.com/PJK/libcbor
 RUN git clone https://github.com/yubico/libfido2
 RUN CC=clang-12 CXX=clang++-12 /libfido2/fuzz/build-coverage /libcbor /libfido2
diff --git a/contrib/libfido2/fuzz/Makefile b/contrib/libfido2/fuzz/Makefile
index 1a974a2bf557..ce3fee73c69c 100644
--- a/contrib/libfido2/fuzz/Makefile
+++ b/contrib/libfido2/fuzz/Makefile
@@ -2,7 +2,7 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-IMAGE		:= libfido2-coverage:1.9.1
+IMAGE		:= libfido2-coverage:1.10.0
 RUNNER		:= libfido2-runner
 PROFDATA	:= llvm-profdata-12
 COV		:= llvm-cov-12
diff --git a/contrib/libfido2/fuzz/export.gnu b/contrib/libfido2/fuzz/export.gnu
index 0c712b30a429..cac142ae970e 100644
--- a/contrib/libfido2/fuzz/export.gnu
+++ b/contrib/libfido2/fuzz/export.gnu
@@ -201,6 +201,7 @@
 		fido_dev_info_product;
 		fido_dev_info_product_string;
 		fido_dev_info_ptr;
+		fido_dev_info_set;
 		fido_dev_info_vendor;
 		fido_dev_is_fido2;
 		fido_dev_major;
diff --git a/contrib/libfido2/fuzz/functions.txt b/contrib/libfido2/fuzz/functions.txt
index 886893b1d11d..946682d07d00 100644
--- a/contrib/libfido2/fuzz/functions.txt
+++ b/contrib/libfido2/fuzz/functions.txt
@@ -172,7 +172,7 @@ cbor_array_iter                             12       0 100.00%        16       0
 cbor_parse_reply                            27       0 100.00%        36       0 100.00%
 cbor_vector_free                             6       0 100.00%         5       0 100.00%
 cbor_bytestring_copy                        14       0 100.00%        18       0 100.00%
-cbor_string_copy                            14       1  92.86%        18       3  83.33%
+cbor_string_copy                            14       0 100.00%        18       0 100.00%
 cbor_add_bytestring                         14       0 100.00%        21       0 100.00%
 cbor_add_string                             14       0 100.00%        21       0 100.00%
 cbor_add_bool                               14       0 100.00%        21       0 100.00%
@@ -200,7 +200,7 @@ cbor_decode_uint64                           4       0 100.00%         8       0
 cbor_decode_cred_id                          8       0 100.00%         9       0 100.00%
 cbor_decode_user                             8       0 100.00%         9       0 100.00%
 cbor_decode_rp_entity                        8       0 100.00%         9       0 100.00%
-cbor_build_uint                             10       4  60.00%         9       4  55.56%
+cbor_build_uint                             10       1  90.00%         9       2  77.78%
 cbor_array_append                           17       0 100.00%        21       0 100.00%
 cbor_array_drop                             18       2  88.89%        17       3  82.35%
 cbor.c:ctap_check_cbor                      28       0 100.00%        26       0 100.00%
@@ -209,7 +209,7 @@ cbor.c:cbor_add_arg                         13       0 100.00%        21       0
 cbor.c:cbor_add_uint8                       14       0 100.00%        21       0 100.00%
 cbor.c:cbor_encode_largeblob_key_ext         6       0 100.00%         6       0 100.00%
 cbor.c:cbor_encode_hmac_secret_param        59       4  93.22%        66       8  87.88%
-cbor.c:get_cose_alg                         36       1  97.22%        38       3  92.11%
+cbor.c:get_cose_alg                         36       0 100.00%        38       0 100.00%
 cbor.c:find_cose_alg                        35       0 100.00%        33       0 100.00%
 cbor.c:decode_attcred                       25       0 100.00%        44       0 100.00%
 cbor.c:decode_cred_extensions               14       0 100.00%        24       0 100.00%
@@ -222,7 +222,7 @@ cbor.c:decode_cred_id_entry                 10       0 100.00%        19       0
 cbor.c:decode_user_entry                    25       0 100.00%        35       0 100.00%
 cbor.c:decode_rp_entity_entry               15       0 100.00%        25       0 100.00%
 ------------------------------------------------------------------------------------------------------------------
-TOTAL                                     1047      28  97.33%      1237      54  95.63%
+TOTAL                                     1047      23  97.80%      1237      46  96.28%
 
 File '/libfido2/src/compress.c':
 Name                                   Regions    Miss   Cover     Lines    Miss   Cover
@@ -386,6 +386,7 @@ fido_dev_get_touch_begin                     50       0 100.00%        59
 fido_dev_get_touch_status                    17       0 100.00%        20       0 100.00%
 fido_dev_set_io_functions                    18       4  77.78%        14       6  57.14%
 fido_dev_set_transport_functions              6       2  66.67%         9       3  66.67%
+fido_dev_io_handle                            1       1   0.00%         3       3   0.00%
 fido_init                                     8       1  87.50%         5       0 100.00%
 fido_dev_new                                  5       0 100.00%        14       0 100.00%
 fido_dev_new_with_info                       10      10   0.00%        16      16   0.00%
@@ -419,7 +420,7 @@ dev.c:fido_dev_set_extension_flags            7       0 100.00%         7
 dev.c:fido_dev_set_option_flags              29       0 100.00%        18       0 100.00%
 dev.c:fido_dev_set_protocol_flags            11       0 100.00%        17       0 100.00%
 -------------------------------------------------------------------------------------------------------------------
-TOTAL                                       420      78  81.43%       488     102  79.10%
+TOTAL                                       421      79  81.24%       491     105  78.62%
 
 File '/libfido2/src/ecdh.c':
 Name                                    Regions    Miss   Cover     Lines    Miss   Cover
@@ -493,8 +494,9 @@ Name                                    Regions    Miss   Cover     Lines    Mis
 fido_hid_get_usage                           13       0 100.00%        22       0 100.00%
 fido_hid_get_report_len                      19       0 100.00%        27       0 100.00%
 fido_dev_info_new                             1       0 100.00%         3       0 100.00%
-fido_dev_info_free                            9       0 100.00%        14       0 100.00%
+fido_dev_info_free                            9       0 100.00%         9       0 100.00%
 fido_dev_info_ptr                             1       0 100.00%         3       0 100.00%
+fido_dev_info_set                            26       2  92.31%        30       3  90.00%
 fido_dev_info_path                            1       0 100.00%         3       0 100.00%
 fido_dev_info_vendor                          1       0 100.00%         3       0 100.00%
 fido_dev_info_product                         1       0 100.00%         3       0 100.00%
@@ -502,8 +504,9 @@ fido_dev_info_manufacturer_string             1       0 100.00%         3
 fido_dev_info_product_string                  1       0 100.00%         3       0 100.00%
 hid.c:get_key_len                             6       0 100.00%        12       0 100.00%
 hid.c:get_key_val                             6       0 100.00%        18       0 100.00%
+hid.c:fido_dev_info_reset                     1       0 100.00%         6       0 100.00%
 -------------------------------------------------------------------------------------------------------------------
-TOTAL                                        60       0 100.00%       114       0 100.00%
+TOTAL                                        87       2  97.70%       145       3  97.93%
 
 File '/libfido2/src/hid_linux.c':
 Name                                    Regions    Miss   Cover     Lines    Miss   Cover
@@ -612,7 +615,7 @@ File '/libfido2/src/largeblob.c':
 Name                                    Regions    Miss   Cover     Lines    Miss   Cover
 -------------------------------------------------------------------------------------------------------------------
 fido_dev_largeblob_get                       26       2  92.31%        38       4  89.47%
-fido_dev_largeblob_set                       27       2  92.59%        36       4  88.89%
+fido_dev_largeblob_set                       27       0 100.00%        36       0 100.00%
 fido_dev_largeblob_remove                    12       0 100.00%        18       0 100.00%
 fido_dev_largeblob_get_array                 15       2  86.67%        27       4  85.19%
 fido_dev_largeblob_set_array                 14       0 100.00%        19       0 100.00%
@@ -642,7 +645,7 @@ largeblob.c:largeblob_get_uv_token           19       0 100.00%        23
 largeblob.c:largeblob_set_tx                 35       0 100.00%        36       0 100.00%
 largeblob.c:prepare_hmac                     13       2  84.62%        23       7  69.57%
 -------------------------------------------------------------------------------------------------------------------
-TOTAL                                       513      21  95.91%       684      47  93.13%
+TOTAL                                       513      19  96.30%       684      43  93.71%
 
 File '/libfido2/src/log.c':
 Name                                    Regions    Miss   Cover     Lines    Miss   Cover
@@ -783,11 +786,11 @@ TOTAL                                          24       0 100.00%        23
 File '/libfido2/src/rs1.c':
 Name                                      Regions    Miss   Cover     Lines    Miss   Cover
 ---------------------------------------------------------------------------------------------------------------------
-rs1_verify_sig                                 20       1  95.00%        30       3  90.00%
+rs1_verify_sig                                 20       0 100.00%        30       0 100.00%
 rs1.c:rs1_get_EVP_MD                            4       0 100.00%         6       0 100.00%
 rs1.c:rs1_free_EVP_MD                           1       0 100.00%         3       0 100.00%
 ---------------------------------------------------------------------------------------------------------------------
-TOTAL                                          25       1  96.00%        39       3  92.31%
+TOTAL                                          25       0 100.00%        39       0 100.00%
 
 File '/libfido2/src/rs256.c':
 Name                                      Regions    Miss   Cover     Lines    Miss   Cover
@@ -820,15 +823,17 @@ TOTAL                                          43       3  93.02%        43
 File '/libfido2/src/tpm.c':
 Name                                      Regions    Miss   Cover     Lines    Miss   Cover
 ---------------------------------------------------------------------------------------------------------------------
-fido_get_signed_hash_tpm                       20       0 100.00%        25       0 100.00%
-tpm.c:check_rsa2048_pubarea                    16       0 100.00%        28       0 100.00%
-tpm.c:bswap_rsa2048_pubarea                     1       0 100.00%        10       0 100.00%
+fido_get_signed_hash_tpm                       25       0 100.00%        39       0 100.00%
+tpm.c:check_es256_pubarea                      18       0 100.00%        30       0 100.00%
+tpm.c:bswap_es256_pubarea                       1       0 100.00%        12       0 100.00%
+tpm.c:check_rs256_pubarea                      16       0 100.00%        28       0 100.00%
+tpm.c:bswap_rs256_pubarea                       1       0 100.00%        10       0 100.00%
 tpm.c:check_sha1_certinfo                      14       0 100.00%        38       0 100.00%
 tpm.c:get_signed_sha1                          17       0 100.00%        19       0 100.00%
 tpm.c:get_signed_name                           7       0 100.00%        10       0 100.00%
 tpm.c:bswap_sha1_certinfo                       1       0 100.00%         8       0 100.00%
 ---------------------------------------------------------------------------------------------------------------------
-TOTAL                                          76       0 100.00%       138       0 100.00%
+TOTAL                                         100       0 100.00%       194       0 100.00%
 
 File '/libfido2/src/types.c':
 Name                                      Regions    Miss   Cover     Lines    Miss   Cover
diff --git a/contrib/libfido2/fuzz/fuzz_hid.c b/contrib/libfido2/fuzz/fuzz_hid.c
index 556e62ac4cd3..eaf00dc92de8 100644
--- a/contrib/libfido2/fuzz/fuzz_hid.c
+++ b/contrib/libfido2/fuzz/fuzz_hid.c
@@ -175,15 +175,20 @@ static void
 manifest(const struct param *p)
 {
 	size_t ndevs, nfound;
-	fido_dev_info_t *devlist;
+	fido_dev_info_t *devlist = NULL, *devlist_set = NULL;
 	int16_t vendor_id, product_id;
+	fido_dev_io_t io;
+	fido_dev_transport_t t;
 
+	memset(&io, 0, sizeof(io));
+	memset(&t, 0, sizeof(t));
 	set_netlink_io_functions(fd_read, fd_write);
 	set_wire_data(p->netlink_wiredata.body, p->netlink_wiredata.len);
 	set_udev_parameters(p->uevent, &p->report_descriptor);
 
 	ndevs = uniform_random(64);
 	if ((devlist = fido_dev_info_new(ndevs)) == NULL ||
+	    (devlist_set = fido_dev_info_new(1)) == NULL ||
 	    fido_dev_info_manifest(devlist, ndevs, &nfound) != FIDO_OK)
 		goto out;
 	for (size_t i = 0; i < nfound; i++) {
@@ -195,9 +200,13 @@ manifest(const struct param *p)
 		product_id = fido_dev_info_product(di);
 		consume(&vendor_id, sizeof(vendor_id));
 		consume(&product_id, sizeof(product_id));
+		fido_dev_info_set(devlist_set, 0, fido_dev_info_path(di),
+		    fido_dev_info_manufacturer_string(di),
+		    fido_dev_info_product_string(di), &io, &t);
 	}
 out:
 	fido_dev_info_free(&devlist, ndevs);
+	fido_dev_info_free(&devlist_set, 1);
 }
 
 void
diff --git a/contrib/libfido2/fuzz/report.tgz b/contrib/libfido2/fuzz/report.tgz
index cf74f315cb80..d78f4628de59 100644
Binary files a/contrib/libfido2/fuzz/report.tgz and b/contrib/libfido2/fuzz/report.tgz differ
diff --git a/contrib/libfido2/fuzz/summary.txt b/contrib/libfido2/fuzz/summary.txt
index 298c8377379f..05c000aa7757 100644
--- a/contrib/libfido2/fuzz/summary.txt
+++ b/contrib/libfido2/fuzz/summary.txt
@@ -16,33 +16,33 @@ src/authkey.c                             44                 0   100.00%
 src/bio.c                                419                20    95.23%          49                 2    95.92%         559                21    96.24%
 src/blob.c                                53                 2    96.23%          10                 0   100.00%          83                 4    95.18%
 src/buf.c                                  8                 1    87.50%           2                 0   100.00%          16                 1    93.75%
-src/cbor.c                              1047                28    97.33%          54                 0   100.00%        1237                54    95.63%
+src/cbor.c                              1047                23    97.80%          54                 0   100.00%        1237                46    96.28%
 src/compress.c                            34                 4    88.24%           3                 0   100.00%          28                 3    89.29%
 src/config.c                             108                 0   100.00%          11                 0   100.00%         151                 0   100.00%
 src/cred.c                               632                34    94.62%          69                 2    97.10%         830                36    95.66%
 src/credman.c                            382                10    97.38%          40                 0   100.00%         518                15    97.10%
-src/dev.c                                420                78    81.43%          44                 6    86.36%         488               102    79.10%
+src/dev.c                                421                79    81.24%          45                 7    84.44%         491               105    78.62%
 src/ecdh.c                               117                 2    98.29%           4                 0   100.00%         146                 5    96.58%
 src/eddsa.c                               80                 3    96.25%          10                 0   100.00%         106                 8    92.45%
 src/err.c                                122                10    91.80%           1                 0   100.00%         126                10    92.06%
 src/es256.c                              306                 5    98.37%          19                 0   100.00%         358                 7    98.04%
-src/hid.c                                 60                 0   100.00%          12                 0   100.00%         114                 0   100.00%
+src/hid.c                                 87                 2    97.70%          14                 0   100.00%         145                 3    97.93%
 src/hid_linux.c                          173                68    60.69%          14                 7    50.00%         250               104    58.40%
 src/hid_unix.c                            28                20    28.57%           2                 0   100.00%          43                24    44.19%
 src/info.c                               184                 0   100.00%          39                 0   100.00%         316                 0   100.00%
 src/io.c                                 182                 7    96.15%          13                 0   100.00%         221                11    95.02%
 src/iso7816.c                             18                 1    94.44%           5                 0   100.00%          38                 0   100.00%
-src/largeblob.c                          513                21    95.91%          30                 0   100.00%         684                47    93.13%
+src/largeblob.c                          513                19    96.30%          30                 0   100.00%         684                43    93.71%
 src/log.c                                 39                 5    87.18%           7                 1    85.71%          63                 4    93.65%
 src/netlink.c                            328                14    95.73%          40                 0   100.00%         498                32    93.57%
 src/nfc_linux.c                          327                73    77.68%          23                 5    78.26%         458               124    72.93%
 src/pin.c                                403                 3    99.26%          26                 0   100.00%         495                 3    99.39%
 src/random.c                               6                 1    83.33%           1                 0   100.00%           6                 1    83.33%
 src/reset.c                               24                 0   100.00%           3                 0   100.00%          23                 0   100.00%
-src/rs1.c                                 25                 1    96.00%           3                 0   100.00%          39                 3    92.31%
+src/rs1.c                                 25                 0   100.00%           3                 0   100.00%          39                 0   100.00%
 src/rs256.c                              141                 8    94.33%          13                 0   100.00%         172                10    94.19%
 src/time.c                                43                 3    93.02%           3                 0   100.00%          43                 1    97.67%
-src/tpm.c                                 76                 0   100.00%           7                 0   100.00%         138                 0   100.00%
+src/tpm.c                                100                 0   100.00%           9                 0   100.00%         194                 0   100.00%
 src/types.c                               25                 0   100.00%           6                 0   100.00%          46                 0   100.00%
 src/u2f.c                                528                 4    99.24%          17                 0   100.00%         685                12    98.25%
 
@@ -54,4 +54,4 @@ src/fido.h                                 0                 0         -
 src/fido/err.h                             0                 0         -           0                 0         -           0                 0         -
 src/fido/param.h                           0                 0         -           0                 0         -           0                 0         -
 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-TOTAL                                   7809               481    93.84%         679                26    96.17%       10180               708    93.05%
+TOTAL                                   7861               476    93.94%         684                27    96.05%       10270               699    93.19%
diff --git a/contrib/libfido2/man/CMakeLists.txt b/contrib/libfido2/man/CMakeLists.txt
index 3e50c50d37a0..5ce2fc7b83ed 100644
--- a/contrib/libfido2/man/CMakeLists.txt
+++ b/contrib/libfido2/man/CMakeLists.txt
@@ -44,6 +44,7 @@ list(APPEND MAN_SOURCES
 
 list(APPEND MAN_ALIAS
 	eddsa_pk_new eddsa_pk_free
+	eddsa_pk_new eddsa_pk_from_EVP_PKEY
 	eddsa_pk_new eddsa_pk_from_ptr
 	eddsa_pk_new eddsa_pk_to_EVP_PKEY
 	es256_pk_new es256_pk_free
@@ -75,6 +76,7 @@ list(APPEND MAN_ALIAS
 	fido_assert_new fido_assert_user_id_len
 	fido_assert_new fido_assert_user_id_ptr
 	fido_assert_new fido_assert_user_name
+	fido_assert_set_authdata fido_assert_set_authdata_raw
 	fido_assert_set_authdata fido_assert_set_clientdata
 	fido_assert_set_authdata fido_assert_set_clientdata_hash
 	fido_assert_set_authdata fido_assert_set_count
@@ -117,8 +119,8 @@ list(APPEND MAN_ALIAS
 	fido_cbor_info_new fido_cbor_info_free
 	fido_cbor_info_new fido_cbor_info_maxmsgsiz
 	fido_cbor_info_new fido_cbor_info_maxcredbloblen
-	fido_cbor_info_new fido_cbor_info_maxcredcntlst;
-	fido_cbor_info_new fido_cbor_info_maxcredidlen;
+	fido_cbor_info_new fido_cbor_info_maxcredcntlst
+	fido_cbor_info_new fido_cbor_info_maxcredidlen
 	fido_cbor_info_new fido_cbor_info_fwversion
 	fido_cbor_info_new fido_cbor_info_options_len
 	fido_cbor_info_new fido_cbor_info_options_name_ptr
@@ -163,6 +165,7 @@ list(APPEND MAN_ALIAS
 	fido_cred_new fido_cred_user_name
 	fido_cred_new fido_cred_x5c_len
 	fido_cred_new fido_cred_x5c_ptr
+	fido_cred_verify fido_cred_verify_self
 	fido_credman_metadata_new fido_credman_del_dev_rk
 	fido_credman_metadata_new fido_credman_get_dev_metadata
 	fido_credman_metadata_new fido_credman_get_dev_rk
@@ -211,6 +214,7 @@ list(APPEND MAN_ALIAS
 	fido_dev_info_manifest fido_dev_info_product
 	fido_dev_info_manifest fido_dev_info_product_string
 	fido_dev_info_manifest fido_dev_info_ptr
+	fido_dev_info_manifest fido_dev_info_set
 	fido_dev_info_manifest fido_dev_info_vendor
 	fido_dev_open fido_dev_build
 	fido_dev_open fido_dev_cancel
@@ -219,26 +223,33 @@ list(APPEND MAN_ALIAS
 	fido_dev_open fido_dev_force_fido2
 	fido_dev_open fido_dev_force_u2f
 	fido_dev_open fido_dev_free
+	fido_dev_open fido_dev_has_pin
+	fido_dev_open fido_dev_has_uv
 	fido_dev_open fido_dev_is_fido2
 	fido_dev_open fido_dev_is_winhello
 	fido_dev_open fido_dev_major
 	fido_dev_open fido_dev_minor
 	fido_dev_open fido_dev_new
+	fido_dev_open fido_dev_new_with_info
+	fido_dev_open fido_dev_open_with_info
 	fido_dev_open fido_dev_protocol
 	fido_dev_open fido_dev_supports_cred_prot
 	fido_dev_open fido_dev_supports_credman
+	fido_dev_open fido_dev_supports_permissions
 	fido_dev_open fido_dev_supports_pin
 	fido_dev_open fido_dev_supports_uv
-	fido_dev_open fido_dev_has_uv
 	fido_dev_set_pin fido_dev_get_retry_count
 	fido_dev_set_pin fido_dev_get_uv_retry_count
 	fido_dev_set_pin fido_dev_reset
+	fido_dev_set_io_functions fido_dev_io_handle
 	fido_dev_set_io_functions fido_dev_set_sigmask
 	fido_dev_set_io_functions fido_dev_set_timeout
+	fido_dev_set_io_functions fido_dev_set_transport_functions
 	fido_dev_largeblob_get fido_dev_largeblob_set
 	fido_dev_largeblob_get fido_dev_largeblob_remove
 	fido_dev_largeblob_get fido_dev_largeblob_get_array
 	fido_dev_largeblob_get fido_dev_largeblob_set_array
+	fido_init fido_set_log_handler
 	rs256_pk_new rs256_pk_free
 	rs256_pk_new rs256_pk_from_ptr
 	rs256_pk_new rs256_pk_from_EVP_PKEY
diff --git a/contrib/libfido2/man/check.sh b/contrib/libfido2/man/check.sh
new file mode 100755
index 000000000000..951afeb88e0b
--- /dev/null
+++ b/contrib/libfido2/man/check.sh
@@ -0,0 +1,42 @@
+#!/bin/sh -u
+
+# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+T=$(mktemp -d) || exit 1
+find . -maxdepth 1 -type f -name '*.3' -print0 > "$T/files"
+
+xargs -0 awk '/^.Sh NAME/,/^.Nd/' < "$T/files" | \
+    awk '/^.Nm/ { print $2 }' | sort -u > "$T/Nm"
+xargs -0 awk '/^.Fn/ { print $2 }' < "$T/files" | sort -u > "$T/Fn"
+(cd "$T" && diff -u Nm Fn)
+
+cut -c2- ../src/export.llvm | sort > "$T/exports"
+(cd "$T" && diff -u Nm exports)
+
+awk '/^list\(APPEND MAN_SOURCES/,/^\)/' CMakeLists.txt | \
+    awk '/.3$/ { print $1 }' | sort > "$T/listed_sources"
+xargs -0 -n1 basename < "$T/files" | sort > "$T/actual_sources"
+(cd "$T" && diff -u listed_sources actual_sources)
+
+awk '/^list\(APPEND MAN_ALIAS/,/^\)/' CMakeLists.txt | \
+    sed '1d;$d' | awk '{ print $1, $2 }' | sort > "$T/listed_aliases"
+xargs -0 grep -o "^.Fn [A-Za-z0-9_]* \"" < "$T/files" | \
+    cut -c3- | sed 's/\.3:\.Fn//;s/ "//' | awk '$1 != $2' | \
+    sort > "$T/actual_aliases"
+(cd "$T" && diff -u listed_aliases actual_aliases)
+
+xargs -0 grep -hB1 "^.Fn [A-Za-z0-9_]* \"" < "$T/files" | \
+    sed -E 's/^.F[tn] //;s/\*[^"\*]+"/\*"/g;s/ [^" \*]+"/"/g;/^--$/d' | \
+    paste -d " " - - | sed 's/\* /\*/' | sort > "$T/documented_prototypes"
+while read -r f; do
+	awk "/\/\*/ { next } /$f\(/,/;/" ../src/fido.h ../src/fido/*.h | \
+	    sed -E 's/^[ ]+//;s/[ ]+/ /' | tr '\n' ' ' | \
+	    sed 's/(/ "/;s/, /" "/g;s/);/"/;s/ $/\n/'
+done < "$T/exports" | sort > "$T/actual_prototypes"
+(cd "$T" && diff -u documented_prototypes actual_prototypes)
+
+(cd "$T" && rm files Nm Fn exports listed_sources actual_sources \
+    listed_aliases actual_aliases documented_prototypes actual_prototypes)
+rmdir -- "$T"
diff --git a/contrib/libfido2/man/eddsa_pk_new.3 b/contrib/libfido2/man/eddsa_pk_new.3
index 65bf9a9f753d..998def484790 100644
--- a/contrib/libfido2/man/eddsa_pk_new.3
+++ b/contrib/libfido2/man/eddsa_pk_new.3
@@ -11,7 +11,7 @@
 .Nm eddsa_pk_from_EVP_PKEY ,
 .Nm eddsa_pk_from_ptr ,
 .Nm eddsa_pk_to_EVP_PKEY
-.Nd FIDO 2 COSE EDDSA API
+.Nd FIDO2 COSE EDDSA API
 .Sh SYNOPSIS
 .In openssl/evp.h
 .In fido/eddsa.h
@@ -106,7 +106,7 @@ If an error occurs,
 returns NULL.
 .Sh RETURN VALUES
 The
-.Fn eddsa_pk_from_EC_KEY
+.Fn eddsa_pk_from_EVP_PKEY
 and
 .Fn eddsa_pk_from_ptr
 functions return
diff --git a/contrib/libfido2/man/es256_pk_new.3 b/contrib/libfido2/man/es256_pk_new.3
index 6c1bac0f57f9..5e184340a575 100644
--- a/contrib/libfido2/man/es256_pk_new.3
+++ b/contrib/libfido2/man/es256_pk_new.3
@@ -9,10 +9,10 @@
 .Nm es256_pk_new ,
 .Nm es256_pk_free ,
 .Nm es256_pk_from_EC_KEY ,
-.Nm es256_pk_from_EVP_KEY ,
+.Nm es256_pk_from_EVP_PKEY ,
 .Nm es256_pk_from_ptr ,
 .Nm es256_pk_to_EVP_PKEY
-.Nd FIDO 2 COSE ES256 API
+.Nd FIDO2 COSE ES256 API
 .Sh SYNOPSIS
 .In openssl/ec.h
 .In fido/es256.h
@@ -82,7 +82,7 @@ No references to
 are kept.
 .Pp
 The
-.Fn es256_pk_from_EVP_KEY
+.Fn es256_pk_from_EVP_PKEY
 function fills
 .Fa pk
 with the contents of
@@ -124,7 +124,7 @@ returns NULL.
 .Sh RETURN VALUES
 The
 .Fn es256_pk_from_EC_KEY ,
-.Fn es256_pk_from_EVP_KEY ,
+.Fn es256_pk_from_EVP_PKEY ,
 and
 .Fn es256_pk_from_ptr
 functions return
diff --git a/contrib/libfido2/man/fido2-assert.1 b/contrib/libfido2/man/fido2-assert.1
index da47d6f19dd3..ee8135c18483 100644
--- a/contrib/libfido2/man/fido2-assert.1
+++ b/contrib/libfido2/man/fido2-assert.1
@@ -7,7 +7,7 @@
 .Os
 .Sh NAME
 .Nm fido2-assert
-.Nd get/verify a FIDO 2 assertion
+.Nd get/verify a FIDO2 assertion
 .Sh SYNOPSIS
 .Nm
 .Fl G
@@ -24,7 +24,7 @@
 .Op Ar type
 .Sh DESCRIPTION
 .Nm
-gets or verifies a FIDO 2 assertion.
+gets or verifies a FIDO2 assertion.
 .Pp
 The input of
 .Nm
@@ -117,7 +117,7 @@ will not expect a credential id in its input, and may output
 multiple assertions.
 Resident credentials are called
 .Dq discoverable credentials
-in FIDO 2.1.
+in CTAP 2.1.
 .It Fl t Ar option
 Toggles a key/value
 .Ar option ,
diff --git a/contrib/libfido2/man/fido2-cred.1 b/contrib/libfido2/man/fido2-cred.1
index 301564d688e5..0b10e74a0507 100644
--- a/contrib/libfido2/man/fido2-cred.1
+++ b/contrib/libfido2/man/fido2-cred.1
@@ -7,7 +7,7 @@
 .Os
 .Sh NAME
 .Nm fido2-cred
-.Nd make/verify a FIDO 2 credential
+.Nd make/verify a FIDO2 credential
 .Sh SYNOPSIS
 .Nm
 .Fl M
@@ -26,7 +26,7 @@
 .Op Ar type
 .Sh DESCRIPTION
 .Nm
-makes or verifies a FIDO 2 credential.
+makes or verifies a FIDO2 credential.
 .Pp
 A credential
 .Ar type
@@ -143,7 +143,7 @@ will fail.
 Create a resident credential.
 Resident credentials are called
 .Dq discoverable credentials
-in FIDO 2.1.
+in CTAP 2.1.
 .It Fl u
 Create a U2F credential.
 By default,
diff --git a/contrib/libfido2/man/fido2-token.1 b/contrib/libfido2/man/fido2-token.1
index fd82c23cffb7..1aa2feb86859 100644
--- a/contrib/libfido2/man/fido2-token.1
+++ b/contrib/libfido2/man/fido2-token.1
@@ -7,7 +7,7 @@
 .Os
 .Sh NAME
 .Nm fido2-token
-.Nd find and manage a FIDO 2 authenticator
+.Nd find and manage a FIDO2 authenticator
 .Sh SYNOPSIS
 .Nm
 .Fl C
@@ -121,7 +121,7 @@
 .Fl V
 .Sh DESCRIPTION
 .Nm
-manages a FIDO 2 authenticator.
+manages a FIDO2 authenticator.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -176,12 +176,12 @@ where
 is the enrollment's template base64-encoded id.
 The user will be prompted for the PIN.
 .It Fl D Fl u Ar device
-Disables the FIDO 2.1
+Disables the CTAP 2.1
 .Dq user verification always
 feature on
 .Ar device .
 .It Fl G Fl b Fl k Ar key_path Ar blob_path Ar device
-Gets a FIDO 2.1
+Gets a CTAP 2.1
 .Dq largeBlob
 encrypted with
 .Ar key_path
@@ -194,7 +194,7 @@ The blob is written to
 .Ar blob_path .
 A PIN or equivalent user-verification gesture is required.
 .It Fl G Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device
-Gets a FIDO 2.1
+Gets a CTAP 2.1
 .Dq largeBlob
 associated with
 .Ar rp_id
@@ -234,7 +234,7 @@ The user will be prompted for the PIN.
 .It Fl L
 Produces a list of authenticators found by the operating system.
 .It Fl L Fl b Ar device
-Produces a list of FIDO 2.1
+Produces a list of CTAP 2.1
 .Dq largeBlobs
 on
 .Ar device .
@@ -264,12 +264,12 @@ Sets the PIN of
 .Ar device .
 The user will be prompted for the PIN.
 .It Fl S Fl a Ar device
-Enables FIDO 2.1 Enterprise Attestation on
+Enables CTAP 2.1 Enterprise Attestation on
 .Ar device .
 .It Fl S Fl b Fl k Ar key_path Ar blob_path Ar device
 Sets
 .Ar blob_path
-as a FIDO 2.1
+as a CTAP 2.1
 .Dq largeBlob
 encrypted with
 .Ar key_path
@@ -284,7 +284,7 @@ A PIN or equivalent user-verification gesture is required.
 .It Fl S Fl b Fl n Ar rp_id Oo Fl i Ar cred_id Oc Ar blob_path Ar device
 Sets
 .Ar blob_path
-as a FIDO 2.1
+as a CTAP 2.1
 .Dq largeBlob
 associated with
 .Ar rp_id
@@ -353,7 +353,7 @@ the minimum PIN length of
 Multiple IDs may be specified, separated by commas.
 The user will be prompted for the PIN.
 .It Fl S Fl u Ar device
-Enables the FIDO 2.1
+Enables the CTAP 2.1
 .Dq user verification always
 feature on
 .Ar device .
@@ -392,9 +392,9 @@ An authenticator's path may contain spaces.
 .Pp
 Resident credentials are called
 .Dq discoverable credentials
-in FIDO 2.1.
+in CTAP 2.1.
 .Pp
-Whether the FIDO 2.1
+Whether the CTAP 2.1
 .Dq user verification always
 feature is activated or deactivated after an authenticator reset
 is vendor-specific.
diff --git a/contrib/libfido2/man/fido_assert_allow_cred.3 b/contrib/libfido2/man/fido_assert_allow_cred.3
index bbe6e4d8929a..7fd730c3f63c 100644
--- a/contrib/libfido2/man/fido_assert_allow_cred.3
+++ b/contrib/libfido2/man/fido_assert_allow_cred.3
@@ -7,7 +7,7 @@
 .Os
 .Sh NAME
 .Nm fido_assert_allow_cred
-.Nd appends a credential ID to the list of credentials allowed in an assertion
+.Nd allow a credential in a FIDO2 assertion
 .Sh SYNOPSIS
 .In fido.h
 .Ft int
@@ -31,7 +31,7 @@ If
 .Fn fido_assert_allow_cred
 fails, the existing list of allowed credentials is preserved.
 .Pp
-For the format of a FIDO 2 credential ID, please refer to the
+For the format of a FIDO2 credential ID, please refer to the
 Web Authentication (webauthn) standard.
 .Sh RETURN VALUES
 The error codes returned by
diff --git a/contrib/libfido2/man/fido_assert_new.3 b/contrib/libfido2/man/fido_assert_new.3
index 16f4e3a6e46d..a1a3c101ba33 100644
--- a/contrib/libfido2/man/fido_assert_new.3
+++ b/contrib/libfido2/man/fido_assert_new.3
@@ -31,7 +31,7 @@
 .Nm fido_assert_id_len ,
 .Nm fido_assert_sigcount ,
 .Nm fido_assert_flags
-.Nd FIDO 2 assertion API
+.Nd FIDO2 assertion API
 .Sh SYNOPSIS
 .In fido.h
 .Ft fido_assert_t *
@@ -85,9 +85,12 @@
 .Ft uint8_t
 .Fn fido_assert_flags "const fido_assert_t *assert" "size_t idx"
 .Sh DESCRIPTION
-FIDO 2 assertions are abstracted in
-.Em libfido2
-by the
+A FIDO2 assertion is a collection of statements, each statement a
+map between a challenge, a credential, a signature, and ancillary
+attributes.
+In
*** 3261 LINES SKIPPED ***