New upstream version 1.3.1

33 files changed, 923 insertions, 813 deletions

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
new file mode 100644
index 0000000..eb953db
--- /dev/null
+++ b/.github/workflows/windows.yml
@@ -0,0 +1,14 @@
+name: windows
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: build
+      run: .\windows\build.ps1
+
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..329c184
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+build/
+cscope.out
+fuzz/build/
+fuzz/obj/
+fuzz/*.so
+output/
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..5ddf36f
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,86 @@
+language: c
+
+matrix:
+  include:
+    - os: linux
+      compiler: clang-7
+      dist: xenial
+      sudo: required
+      addons:
+        apt:
+          sources:
+            - ubuntu-toolchain-r-test
+            - llvm-toolchain-xenial-7
+          packages:
+            - clang-7
+            - cmake
+            - libssl-dev
+            - libudev-dev
+      script: /bin/sh -eux .travis/build-linux-clang
+    - os: linux
+      compiler: gcc-7
+      dist: xenial
+      sudo: required
+      addons:
+        apt:
+          sources:
+            - ubuntu-toolchain-r-test
+          packages:
+            - gcc-7
+            - cmake
+            - libssl-dev
+            - libudev-dev
+      script: /bin/sh -eux .travis/build-linux-gcc
+    - os: linux
+      compiler: i686-w64-mingw32-gcc-4.8
+      dist: xenial
+      sudo: required
+      addons:
+        apt:
+          sources:
+            - ubuntu-toolchain-r-test
+          packages:
+            - binutils-mingw-w64-i686
+            - gcc-mingw-w64
+            - g++-mingw-w64
+            - mingw-w64-i686-dev
+            - cmake
+      script: /bin/sh -eux .travis/build-linux-mingw
+    - os: osx
+      osx_image: xcode10.2
+      compiler: clang
+      sudo: required
+      script: /bin/sh -eux .travis/build-osx-clang
+    - os: linux
+      compiler: clang-7
+      dist: xenial
+      sudo: required
+      addons:
+        apt:
+          sources:
+            - ubuntu-toolchain-r-test
+            - llvm-toolchain-xenial-7
+          packages:
+            - clang-7
+            - cmake
+            - libssl-dev
+            - libudev-dev
+      script: /bin/sh -eux .travis/fuzz-linux-asan
+    - os: linux
+      compiler: clang-7
+      dist: xenial
+      sudo: required
+      addons:
+        apt:
+          sources:
+            - ubuntu-toolchain-r-test
+            - llvm-toolchain-xenial-7
+          packages:
+            - clang-7
+            - cmake
+            - libssl-dev
+            - libudev-dev
+      script: /bin/sh -eux .travis/fuzz-linux-msan
+
+notifications:
+  email: false
diff --git a/.travis/build-linux-clang b/.travis/build-linux-clang
new file mode 100644
index 0000000..8938461
--- /dev/null
+++ b/.travis/build-linux-clang
@@ -0,0 +1,22 @@
+#!/bin/sh -eux
+
+${CC} --version
+
+# Check exports.
+(cd src && ./diff_exports.sh)
+
+# Build and install libcbor.
+git clone git://github.com/pjk/libcbor
+cd libcbor
+git checkout v0.5.0
+mkdir build
+(cd build && cmake ..)
+make -C build
+sudo make -C build install
+cd ..
+
+# Build, analyze, and install libfido2.
+mkdir build
+(cd build && scan-build cmake -DCMAKE_BUILD_TYPE=Debug ..)
+scan-build --status-bugs make -C build
+sudo make -C build install
diff --git a/.travis/build-linux-gcc b/.travis/build-linux-gcc
new file mode 100644
index 0000000..be1e0a9
--- /dev/null
+++ b/.travis/build-linux-gcc
@@ -0,0 +1,19 @@
+#!/bin/sh -eux
+
+${CC} --version
+
+# Build and install libcbor.
+git clone git://github.com/pjk/libcbor
+cd libcbor
+git checkout v0.5.0
+mkdir build
+(cd build && cmake ..)
+make -C build
+sudo make -C build install
+cd ..
+
+# Build and install libfido2.
+mkdir build
+(cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..)
+make -C build
+sudo make -C build install
diff --git a/.travis/build-linux-mingw b/.travis/build-linux-mingw
new file mode 100644
index 0000000..c88ddca
--- /dev/null
+++ b/.travis/build-linux-mingw
@@ -0,0 +1,47 @@
+#!/bin/sh -eux
+
+# XXX defining CC and cross-compiling confuses OpenSSL's build.
+unset CC
+
+sudo mkdir /fakeroot
+sudo chmod 755 /fakeroot
+
+cat << EOF > /tmp/mingw.cmake
+SET(CMAKE_SYSTEM_NAME Windows)
+SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc)
+SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++)
+SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres)
+SET(CMAKE_FIND_ROOT_PATH /fakeroot)
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+EOF
+
+# Build and install libcbor.
+git clone git://github.com/pjk/libcbor
+cd libcbor
+git checkout v0.5.0
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+        -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -C build
+sudo make -C build install
+cd ..
+
+# Build and install OpenSSL 1.1.0j.
+git clone git://github.com/openssl/openssl
+cd openssl
+git checkout OpenSSL_1_1_0j
+./Configure mingw --prefix=/fakeroot --openssldir=/fakeroot/openssl \
+        --cross-compile-prefix=i686-w64-mingw32-
+make
+sudo make install_sw
+cd ..
+
+# Build and install libfido2.
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+mkdir build
+(cd build && cmake -DCMAKE_TOOLCHAIN_FILE=/tmp/mingw.cmake \
+        -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/fakeroot ..)
+make -C build
+sudo make -C build install
diff --git a/.travis/build-osx-clang b/.travis/build-osx-clang
new file mode 100644
index 0000000..69a784c
--- /dev/null
+++ b/.travis/build-osx-clang
@@ -0,0 +1,24 @@
+#!/bin/sh -eux
+
+${CC} --version
+
+# Build and install libcbor.
+git clone git://github.com/pjk/libcbor
+cd libcbor
+git checkout v0.5.0
+mkdir build
+(cd build && cmake ..)
+make -C build
+sudo make -C build install
+cd ..
+
+# Install mandoc from Homebrew.
+brew install mandoc
+
+# Build and install libfido2.
+export PKG_CONFIG_PATH=/usr/local/opt/openssl@1.1/lib/pkgconfig
+mkdir build
+(cd build && cmake -DCMAKE_BUILD_TYPE=Debug ..)
+make -C build
+make -C build man_symlink_html
+sudo make -C build install
diff --git a/.travis/fuzz-linux-asan b/.travis/fuzz-linux-asan
new file mode 100644
index 0000000..0a0aebb
--- /dev/null
+++ b/.travis/fuzz-linux-asan
@@ -0,0 +1,58 @@
+#!/bin/sh -eux
+
+${CC} --version
+
+FAKEROOT=/fakeroot
+sudo mkdir ${FAKEROOT}
+sudo chmod 755 ${FAKEROOT}
+
+# Build and install libcbor.
+git clone git://github.com/pjk/libcbor
+cd libcbor
+patch -p0 < ../fuzz/README
+mkdir build
+cd build
+cmake -DCMAKE_C_FLAGS_DEBUG="-g2 -fno-omit-frame-pointer" \
+        -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \
+        -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=ON \
+        -DCMAKE_INSTALL_LIBDIR=lib ..
+make
+sudo make install
+cd ../..
+
+# Build and install OpenSSL 1.1.1b.
+git clone git://github.com/openssl/openssl
+cd openssl
+git checkout OpenSSL_1_1_1b
+./Configure linux-x86_64-clang enable-asan --prefix=${FAKEROOT} \
+         --openssldir=${FAKEROOT}/openssl
+make clean
+make
+sudo make install_sw
+cd ..
+
+# Build libfido2.
+mkdir build
+cd build
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+cmake -DFUZZ=1 -DLIBFUZZER=1 -DASAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \
+        -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCMAKE_BUILD_TYPE=Debug ..
+make
+
+# Fuzz with ASAN.
+mkdir corpus
+tar -C corpus -zxf ../fuzz/corpus.tgz
+fuzz/fuzz_cred -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_cred
+fuzz/fuzz_assert -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_assert
+fuzz/fuzz_credman -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_credman
+fuzz/fuzz_mgmt -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_mgmt
+fuzz/fuzz_bio -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_bio
diff --git a/.travis/fuzz-linux-msan b/.travis/fuzz-linux-msan
new file mode 100644
index 0000000..fd7b2ac
--- /dev/null
+++ b/.travis/fuzz-linux-msan
@@ -0,0 +1,58 @@
+#!/bin/sh -eux
+
+${CC} --version
+
+FAKEROOT=/fakeroot
+sudo mkdir ${FAKEROOT}
+sudo chmod 755 ${FAKEROOT}
+
+# Build and install libcbor.
+git clone git://github.com/pjk/libcbor
+cd libcbor
+patch -p0 < ../fuzz/README
+mkdir build
+cd build
+cmake -DCMAKE_C_FLAGS_DEBUG="-fsanitize=memory,undefined -g2 -fno-omit-frame-pointer" \
+        -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \
+        -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=OFF \
+        -DCMAKE_INSTALL_LIBDIR=lib ..
+make
+sudo make install
+cd ../..
+
+# Build and install OpenSSL 1.1.1b.
+git clone git://github.com/openssl/openssl
+cd openssl
+git checkout OpenSSL_1_1_1b
+./Configure linux-x86_64-clang enable-msan --prefix=${FAKEROOT} \
+         --openssldir=${FAKEROOT}/openssl
+make clean
+make
+sudo make install_sw
+cd ..
+
+# Build libfido2.
+mkdir build
+cd build
+export PKG_CONFIG_PATH=/fakeroot/lib/pkgconfig
+cmake -DFUZZ=1 -DLIBFUZZER=1 -DMSAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \
+        -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCMAKE_BUILD_TYPE=Debug ..
+make
+
+# Fuzz with MSAN.
+mkdir corpus
+tar -C corpus -zxf ../fuzz/corpus.tgz
+fuzz/fuzz_cred -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_cred
+fuzz/fuzz_assert -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_assert
+fuzz/fuzz_credman -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_credman
+fuzz/fuzz_mgmt -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_mgmt
+fuzz/fuzz_bio -use_value_profile=1 -reload=30 -print_pcs=1 \
+        -print_funcs=30 -timeout=10 -max_len=17408 -runs=1 corpus/fuzz_bio
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c7c5991..9481c46 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -20,7 +20,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 
 set(FIDO_MAJOR "1")
 set(FIDO_MINOR "3")
-set(FIDO_PATCH "0")
+set(FIDO_PATCH "1")
 set(FIDO_VERSION ${FIDO_MAJOR}.${FIDO_MINOR}.${FIDO_PATCH})
 
 add_definitions(-D_FIDO_MAJOR=${FIDO_MAJOR})
@@ -322,7 +322,7 @@ elseif(NOT MSVC)
         endif()
 else()
         string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS}
-                " /def:${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc")
+                " /def:\"${CMAKE_CURRENT_SOURCE_DIR}/src/export.msvc\"")
 endif()
 
 include_directories(${CMAKE_SOURCE_DIR}/src)
diff --git a/NEWS b/NEWS
index 1b78c7c..8b96d39 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+* Version 1.3.1 (2020-02-19)
+ ** fix zero-ing of le1 and le2 when talking to a U2F device.
+ ** dropping sk-libfido2 middleware, please find it in the openssh tree.
+
 * Version 1.3.0 (2019-11-28)
  ** assert/hmac: encode public key as per spec, gh#60.
  ** fido2-cred: fix creation of resident keys.
diff --git a/README.adoc b/README.adoc
index 8693417..ce8ac1e 100644
--- a/README.adoc
+++ b/README.adoc
@@ -31,7 +31,7 @@ is also available.
 
 ==== Releases
 
-The current release of *libfido2* is 1.3.0. Please consult Yubico's
+The current release of *libfido2* is 1.3.1. Please consult Yubico's
 https://developers.yubico.com/libfido2/Releases[release page] for source
 and binary releases.
 
@@ -71,18 +71,3 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
 On Windows 1903 and newer versions, access to FIDO devices has been restricted
 to applications using the operating system's native API. Use of *libfido2*
 is still possible in privileged applications.
-
-=== OpenSSH Integration
-
-*libfido2* includes middleware allowing https://www.openssh.com[OpenSSH] to
-talk to U2F/FIDO2 devices. Note that server support is required for
-authentication. In a nutshell:
-
-==== Key Generation
-
-  $ ssh-keygen -t [ecdsa-sk|ed25519-sk] -w /path/to/libsk-libfido2.so
-
-==== Authentication
-
-  $ ssh-agent -P /path/to/libsk-libfido2.so
-  $ ssh-add -S /path/to/libsk-libfido2.so
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..7502d61
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,80 @@
+libfido2 (1.2.0~ppa1~bionic1) bionic; urgency=low
+
+  * Credential management support.
+  * New API reflecting FIDO's 3-state booleans (true, false, absent):
+    - fido_assert_set_up;
+    - fido_assert_set_uv;
+    - fido_cred_set_rk;
+    - fido_cred_set_uv.
+  * Command-line tools for Windows.
+  * Documentation and reliability fixes.
+  * fido_{assert,cred}_set_options() are now marked as deprecated.
+
+ -- pedro martelletto <pedro@yubico.com>  Fri, 23 Aug 2019 12:08:02 +0000
+
+libfido2 (1.1.0) bionic; urgency=low
+
+  * MacOS: fix IOKit crash on HID read.
+  * Windows: fix contents of release file.
+  * EdDSA (Ed25519) support.
+  * fido_dev_make_cred: fix order of CBOR map keys.
+  * fido_dev_get_assert: plug memory leak when operating on U2F devices.
+
+ -- pedro martelletto <pedro@yubico.com>  Tue, 07 May 2019 08:03:21 +0000
+
+libfido2 (1.0.0) bionic; urgency=low
+
+  * Native HID support on Linux, MacOS, and Windows.
+  * fido2-{assert,cred}: new -u option to force U2F on dual authenticators.
+  * fido2-assert: support for multiple resident keys with the same RP.
+  * Strict checks for CTAP2 compliance on received CBOR payloads.
+  * Better fuzzing harnesses.
+  * Documentation and reliability fixes.
+
+ -- pedro martelletto <pedro@yubico.com>  Tue, 19 Mar 2019 07:38:36 +0000
+
+libfido2 (0.4.0) bionic; urgency=low
+
+  * fido2-assert: print the user id for resident credentials.
+  * Fix encoding of COSE algorithms when making a credential.
+  * Rework purpose of fido_cred_set_type; no ABI change.
+  * Minor documentation and code fixes.
+
+ -- pedro martelletto <pedro@yubico.com>  Mon, 07 Jan 2019 08:22:01 +0000
+
+libfido2 (0.3.0) bionic; urgency=low
+
+  * Various reliability fixes.
+  * Merged fuzzing instrumentation.
+  * Added regress tests.
+  * Added support for FIDO 2's hmac-secret extension.
+  * New API calls:
+    - fido_assert_hmac_secret_len;
+    - fido_assert_hmac_secret_ptr;
+    - fido_assert_set_extensions;
+    - fido_assert_set_hmac_salt;
+    - fido_cred_set_extensions;
+    - fido_dev_force_fido2.
+  * Support for native builds with Microsoft Visual Studio 17.
+
+ -- pedro martelletto <pedro@yubico.com>  Tue, 11 Sep 2018 09:05:32 +0000
+
+libfido2 (0.2.0) bionic; urgency=low
+
+  * Added command-line tools.
+  * Added a couple of missing get functions.
+
+ -- pedro martelletto <pedro@yubico.com>  Mon, 18 Jun 2018 10:44:11 +0000
+
+libfido2 (0.1.1~dev) bionic; urgency=low
+
+  * Added documentation.
+  * Minor fixes.
+
+ -- pedro martelletto <pedro@yubico.com>  Wed, 30 May 2018 13:16:28 +0000
+
+libfido2 (0.1.0~dev) bionic; urgency=low
+
+  * Initial release.
+
+ -- pedro martelletto <pedro@yubico.com>  Fri, 18 May 2018 08:47:01 +0000
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..50b9482
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,53 @@
+Source: libfido2
+Priority: optional
+Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
+Uploaders: pedro martelletto <pedro@yubico.com>
+Standards-Version: 4.1.2
+Section: libs
+Homepage: https://github.com/yubico/libfido2
+Build-Depends: debhelper (>= 9),
+               pkg-config,
+               cmake,
+               mandoc,
+               libcbor-dev,
+               libssl-dev,
+               libudev-dev
+
+Package: libfido2-1
+Architecture: any
+Multi-Arch: same
+Depends: libcbor0, libssl1.1, libudev1, ${shlibs:Depends}, ${misc:Depends}
+Description: library for generating and verifying FIDO 2.0 objects
+ A library for communicating with a FIDO device over USB, and for verifying
+ attestation and assertion signatures. FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2)
+ are supported. This package contains the runtime library.
+
+Package: libfido2-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends: libfido2-1 (= ${binary:Version}), ${misc:Depends}
+Suggests: libssl-dev
+Description: library for generating and verifying FIDO 2.0 objects (development headers)
+ A library for communicating with a FIDO device over USB, and for verifying
+ attestation and assertion signatures. FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2)
+ are supported. This package contains the development headers.
+
+Package: fido2-tools
+Section: utils
+Architecture: any
+Multi-Arch: foreign
+Depends: libfido2-1 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Description: command-line tools to configure and use a FIDO 2 token
+ A set of tools to manage a FIDO 2 token, generate credentials and
+ assertions, and verify them.
+
+Package: libfido2-udev
+Section: libs
+Architecture: all
+Multi-Arch: foreign
+Depends: ${misc:Depends}
+Conflicts: libu2f-udev
+Description: udev rules for access to U2F and FIDO2 devices
+ A set of udev rules allowing unprivileged system-level access
+ to U2F and FIDO2 USB devices for logged-on users.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..3ba51ef
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,85 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: libfido2
+Source: https://github.com/yubico/libfido2
+
+Files: *
+Copyright: Copyright (c) 2018 Yubico AB. All rights reserved.
+License: BSD-2-clause
+
+Files: openbsd-compat/strlcpy.c openbsd-compat/strlcat.c
+Copyright: Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
+License: ISC
+
+Files: src/compat/timingsafe_bcmp.c
+Copyright: Copyright (c) 2010 Damien Miller.  All rights reserved.
+License: ISC
+
+Files:
+ openbsd-compat/bsd-getpagesize.c
+ openbsd-compat/err.h
+ openbsd-compat/explicit_bzero.c
+ openbsd-compat/explicit_bzero_win32.c
+ openbsd-compat/types.h
+Copyright: Public domain
+License: public-domain
+
+Files: openbsd-compat/recallocarray.c
+Copyright: Copyright (c) 2008, 2017 Otto Moerbeek <otto@drijf.net>
+License: ISC
+
+Files: openbsd-compat/readpassphrase.h
+Copyright: Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+License: ISC
+
+Files: openbsd-compat/readpassphrase.c
+Copyright: Copyright (c) 2000-2002, 2007, 2010 Todd C. Miller <Todd.Miller@courtesan.com>
+License: ISC
+
+Files: openbsd-compat/getopt.h
+Copyright: Copyright (c) 2000 The NetBSD Foundation, Inc. All rights reserved.
+License: BSD-2-clause
+
+Files: openbsd-compat/getopt_long.c
+Copyright: Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+           Copyright (c) 2000 The NetBSD Foundation, Inc. All rights reserved.
+License: ISC and BSD-2-clause
+
+License: BSD-2-clause
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are
+  met:
+  .
+     1. Redistributions of source code must retain the above copyright
+        notice, this list of conditions and the following disclaimer.
+     2. Redistributions in binary form must reproduce the above copyright
+        notice, this list of conditions and the following disclaimer in
+        the documentation and/or other materials provided with the
+        distribution.
+  .
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+  HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: public-domain
+  Public domain.
+
+License: ISC
+  Permission to use, copy, modify, and distribute this software for any
+  purpose with or without fee is hereby granted, provided that the above
+  copyright notice and this permission notice appear in all copies.
+  .
+  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/debian/fido2-tools.install b/debian/fido2-tools.install
new file mode 100644
index 0000000..e772481
--- /dev/null
+++ b/debian/fido2-tools.install
@@ -0,0 +1 @@
+usr/bin
diff --git a/debian/fido2-tools.manpages b/debian/fido2-tools.manpages
new file mode 100644
index 0000000..fc19867
--- /dev/null
+++ b/debian/fido2-tools.manpages
@@ -0,0 +1,3 @@
+man/fido2-assert.1
+man/fido2-cred.1
+man/fido2-token.1
diff --git a/debian/libfido2-1.install b/debian/libfido2-1.install
new file mode 100644
index 0000000..a080fbe
--- /dev/null
+++ b/debian/libfido2-1.install
@@ -0,0 +1 @@
+usr/lib/*/libfido2.so.*
diff --git a/debian/libfido2-1.symbols b/debian/libfido2-1.symbols
new file mode 100644
index 0000000..afbf449
--- /dev/null
+++ b/debian/libfido2-1.symbols
@@ -0,0 +1,148 @@
+libfido2.so.1 libfido2-1 #MINVER#
+ eddsa_pk_free@Base 1.1.0
+ eddsa_pk_from_EVP_PKEY@Base 1.1.0
+ eddsa_pk_from_ptr@Base 1.1.0
+ eddsa_pk_new@Base 1.1.0
+ eddsa_pk_to_EVP_PKEY@Base 1.1.0
+ es256_pk_free@Base 1.1.0
+ es256_pk_from_EC_KEY@Base 1.1.0
+ es256_pk_from_ptr@Base 1.1.0
+ es256_pk_new@Base 1.1.0
+ es256_pk_to_EVP_PKEY@Base 1.1.0
+ fido_assert_allow_cred@Base 1.1.0
+ fido_assert_authdata_len@Base 1.1.0
+ fido_assert_authdata_ptr@Base 1.1.0
+ fido_assert_clientdata_hash_len@Base 1.1.0
+ fido_assert_clientdata_hash_ptr@Base 1.1.0
+ fido_assert_count@Base 1.1.0
+ fido_assert_flags@Base 1.1.0
+ fido_assert_free@Base 1.1.0
+ fido_assert_hmac_secret_len@Base 1.1.0
+ fido_assert_hmac_secret_ptr@Base 1.1.0
+ fido_assert_id_len@Base 1.1.0
+ fido_assert_id_ptr@Base 1.1.0
+ fido_assert_new@Base 1.1.0
+ fido_assert_rp_id@Base 1.1.0
+ fido_assert_set_authdata@Base 1.1.0
+ fido_assert_set_clientdata_hash@Base 1.1.0
+ fido_assert_set_count@Base 1.1.0
+ fido_assert_set_extensions@Base 1.1.0
+ fido_assert_set_hmac_salt@Base 1.1.0
+ fido_assert_set_options@Base 1.1.0
+ fido_assert_set_rp@Base 1.1.0
+ fido_assert_set_sig@Base 1.1.0
+ fido_assert_set_up@Base 1.2.0
+ fido_assert_set_uv@Base 1.2.0
+ fido_assert_sig_len@Base 1.1.0
+ fido_assert_sig_ptr@Base 1.1.0
+ fido_assert_user_display_name@Base 1.1.0
+ fido_assert_user_icon@Base 1.1.0
+ fido_assert_user_id_len@Base 1.1.0
+ fido_assert_user_id_ptr@Base 1.1.0
+ fido_assert_user_name@Base 1.1.0
+ fido_assert_verify@Base 1.1.0
+ fido_cbor_info_aaguid_len@Base 1.1.0
+ fido_cbor_info_aaguid_ptr@Base 1.1.0
+ fido_cbor_info_extensions_len@Base 1.1.0
+ fido_cbor_info_extensions_ptr@Base 1.1.0
+ fido_cbor_info_free@Base 1.1.0
+ fido_cbor_info_maxmsgsiz@Base 1.1.0
+ fido_cbor_info_new@Base 1.1.0
+ fido_cbor_info_options_len@Base 1.1.0
+ fido_cbor_info_options_name_ptr@Base 1.1.0
+ fido_cbor_info_options_value_ptr@Base 1.1.0
+ fido_cbor_info_protocols_len@Base 1.1.0
+ fido_cbor_info_protocols_ptr@Base 1.1.0
+ fido_cbor_info_versions_len@Base 1.1.0
+ fido_cbor_info_versions_ptr@Base 1.1.0
+ fido_cred_authdata_len@Base 1.1.0
+ fido_cred_authdata_ptr@Base 1.1.0
+ fido_cred_clientdata_hash_len@Base 1.1.0
+ fido_cred_clientdata_hash_ptr@Base 1.1.0
+ fido_cred_display_name@Base 1.2.0
+ fido_cred_exclude@Base 1.1.0
+ fido_cred_flags@Base 1.1.0
+ fido_cred_fmt@Base 1.1.0
+ fido_cred_free@Base 1.1.0
+ fido_cred_id_len@Base 1.1.0
+ fido_cred_id_ptr@Base 1.1.0
+ fido_cred_new@Base 1.1.0
+ fido_cred_pubkey_len@Base 1.1.0
+ fido_cred_pubkey_ptr@Base 1.1.0
+ fido_cred_rp_id@Base 1.1.0
+ fido_cred_rp_name@Base 1.1.0
+ fido_cred_set_authdata@Base 1.1.0
+ fido_cred_set_clientdata_hash@Base 1.1.0
+ fido_cred_set_extensions@Base 1.1.0
+ fido_cred_set_fmt@Base 1.1.0
+ fido_cred_set_options@Base 1.1.0
+ fido_cred_set_rk@Base 1.2.0
+ fido_cred_set_rp@Base 1.1.0
+ fido_cred_set_sig@Base 1.1.0
+ fido_cred_set_type@Base 1.1.0
+ fido_cred_set_user@Base 1.1.0
+ fido_cred_set_uv@Base 1.2.0
+ fido_cred_set_x509@Base 1.1.0
+ fido_cred_sig_len@Base 1.1.0
+ fido_cred_sig_ptr@Base 1.1.0
+ fido_cred_type@Base 1.2.0
+ fido_cred_user_id_len@Base 1.2.0
+ fido_cred_user_id_ptr@Base 1.2.0
+ fido_cred_user_name@Base 1.2.0
+ fido_cred_verify@Base 1.1.0
+ fido_cred_x5c_len@Base 1.1.0
+ fido_cred_x5c_ptr@Base 1.1.0
+ fido_credman_del_dev_rk@Base 1.2.0
+ fido_credman_get_dev_metadata@Base 1.2.0
+ fido_credman_get_dev_rk@Base 1.2.0
+ fido_credman_get_dev_rp@Base 1.2.0
+ fido_credman_metadata_free@Base 1.2.0
+ fido_credman_metadata_new@Base 1.2.0
+ fido_credman_rk@Base 1.2.0
+ fido_credman_rk_count@Base 1.2.0
+ fido_credman_rk_existing@Base 1.2.0
+ fido_credman_rk_free@Base 1.2.0
+ fido_credman_rk_new@Base 1.2.0
+ fido_credman_rk_remaining@Base 1.2.0
+ fido_credman_rp_count@Base 1.2.0
+ fido_credman_rp_free@Base 1.2.0
+ fido_credman_rp_id@Base 1.2.0
+ fido_credman_rp_id_hash_len@Base 1.2.0
+ fido_credman_rp_id_hash_ptr@Base 1.2.0
+ fido_credman_rp_name@Base 1.2.0
+ fido_credman_rp_new@Base 1.2.0
+ fido_dev_build@Base 1.1.0
+ fido_dev_close@Base 1.1.0
+ fido_dev_flags@Base 1.1.0
+ fido_dev_force_fido2@Base 1.1.0
+ fido_dev_force_u2f@Base 1.1.0
+ fido_dev_free@Base 1.1.0
+ fido_dev_get_assert@Base 1.1.0
+ fido_dev_get_cbor_info@Base 1.1.0
+ fido_dev_get_retry_count@Base 1.1.0
+ fido_dev_info_free@Base 1.1.0
+ fido_dev_info_manifest@Base 1.1.0
+ fido_dev_info_manufacturer_string@Base 1.1.0
+ fido_dev_info_new@Base 1.1.0
+ fido_dev_info_path@Base 1.1.0
+ fido_dev_info_product@Base 1.1.0
+ fido_dev_info_product_string@Base 1.1.0
+ fido_dev_info_ptr@Base 1.1.0
+ fido_dev_info_vendor@Base 1.1.0
+ fido_dev_is_fido2@Base 1.1.0
+ fido_dev_major@Base 1.1.0
+ fido_dev_make_cred@Base 1.1.0
+ fido_dev_minor@Base 1.1.0
+ fido_dev_new@Base 1.1.0
+ fido_dev_open@Base 1.1.0
+ fido_dev_protocol@Base 1.1.0
+ fido_dev_reset@Base 1.1.0
+ fido_dev_set_io_functions@Base 1.1.0
+ fido_dev_set_pin@Base 1.1.0
+ fido_init@Base 1.1.0
+ fido_strerr@Base 1.1.0
+ rs256_pk_free@Base 1.1.0
+ rs256_pk_from_RSA@Base 1.1.0
+ rs256_pk_from_ptr@Base 1.1.0
+ rs256_pk_new@Base 1.1.0
+ rs256_pk_to_EVP_PKEY@Base 1.1.0
diff --git a/debian/libfido2-dev.install b/debian/libfido2-dev.install
new file mode 100644
index 0000000..77fd2fb
--- /dev/null
+++ b/debian/libfido2-dev.install
@@ -0,0 +1,23 @@
+usr/include
+usr/lib/*/*.so
+usr/lib/*/pkgconfig/*.pc
+usr/share/doc/libfido2/es256_pk.html
+usr/share/doc/libfido2/fido.html
+usr/share/doc/libfido2/fido_assert.html
+usr/share/doc/libfido2/fido_assert_allow_cred.html
+usr/share/doc/libfido2/fido_assert_set.html
+usr/share/doc/libfido2/fido_assert_verify.html
+usr/share/doc/libfido2/fido_cbor_info.html
+usr/share/doc/libfido2/fido_cred.html
+usr/share/doc/libfido2/fido_cred_exclude.html
+usr/share/doc/libfido2/fido_cred_set.html
+usr/share/doc/libfido2/fido_cred_verify.html
+usr/share/doc/libfido2/fido_dev_get_assert.html
+usr/share/doc/libfido2/fido_dev_info_manifest.html
+usr/share/doc/libfido2/fido_dev_make_cred.html
+usr/share/doc/libfido2/fido_dev_open.html
+usr/share/doc/libfido2/fido_dev_set_io_functions.html
+usr/share/doc/libfido2/fido_dev_set_pin.html
+usr/share/doc/libfido2/fido_strerr.html
+usr/share/doc/libfido2/rs256_pk.html
+usr/share/doc/libfido2/style.css
diff --git a/debian/libfido2-dev.links b/debian/libfido2-dev.links
new file mode 100644
index 0000000..6fd8356
--- /dev/null
+++ b/debian/libfido2-dev.links
@@ -0,0 +1,148 @@
+/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_new.3
+/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_free.3
+/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_from_EC_KEY.3
+/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_from_ptr.3
+/usr/share/man/man3/es256_pk.3 /usr/share/man/man3/es256_pk_to_EVP_PKEY.3
+/usr/share/man/man3/fido.3 /usr/share/man/man3/fido_init.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_new.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_free.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_count.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_display_name.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_icon.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_name.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_authdata_ptr.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_clientdata_hash_ptr.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_id_ptr.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_sig_ptr.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_authdata_len.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_clientdata_hash_len.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_user_id_len.3
+/usr/share/man/man3/fido_assert.3 /usr/share/man/man3/fido_assert_sig_len.3
+/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_authdata.3
+/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_clientdata_hash.3
+/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_count.3
+/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_options.3
+/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_rp.3
+/usr/share/man/man3/fido_assert_set.3 /usr/share/man/man3/fido_assert_set_sig.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_new.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_free.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_fmt.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_authdata_ptr.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_clientdata_hash_ptr.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_id_ptr.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_pubkey_ptr.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_sig_ptr.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_x5c_ptr.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_authdata_len.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_clientdata_hash_len.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_id_len.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_pubkey_len.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_sig_len.3
+/usr/share/man/man3/fido_cred.3 /usr/share/man/man3/fido_cred_x5c_len.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_authdata.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_x509.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_sig.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_clientdata_hash.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_rp.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_user.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_options.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_fmt.3
+/usr/share/man/man3/fido_cred_set.3 /usr/share/man/man3/fido_cred_set_type.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_new.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_free.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_ptr.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_path.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_product.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_vendor.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_manufacturer_string.3
+/usr/share/man/man3/fido_dev_info_manifest.3 /usr/share/man/man3/fido_dev_info_product_string.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_close.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_new.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_free.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_is_fido2.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_protocol.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_build.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_flags.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_major.3
+/usr/share/man/man3/fido_dev_open.3 /usr/share/man/man3/fido_dev_minor.3
+/usr/share/man/man3/fido_dev_set_pin.3 /usr/share/man/man3/fido_dev_get_retry_count.3
+/usr/share/man/man3/fido_dev_set_pin.3 /usr/share/man/man3/fido_dev_reset.3
+/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_new.3
+/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_free.3
+/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_from_RSA.3
+/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_from_ptr.3
+/usr/share/man/man3/rs256_pk.3 /usr/share/man/man3/rs256_pk_to_EVP_PKEY.3
+/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_new.html
+/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_free.html
+/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_from_EC_KEY.html
+/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_from_ptr.html
+/usr/share/doc/libfido2/es256_pk.html /usr/share/doc/libfido2/es256_pk_to_EVP_PKEY.html
+/usr/share/doc/libfido2/fido.html /usr/share/doc/libfido2/fido_init.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_new.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_free.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_count.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_display_name.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_icon.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_name.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_authdata_ptr.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_clientdata_hash_ptr.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_id_ptr.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_sig_ptr.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_authdata_len.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_clientdata_hash_len.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_user_id_len.html
+/usr/share/doc/libfido2/fido_assert.html /usr/share/doc/libfido2/fido_assert_sig_len.html
+/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_authdata.html
+/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_clientdata_hash.html
+/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_count.html
+/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_options.html
+/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_rp.html
+/usr/share/doc/libfido2/fido_assert_set.html /usr/share/doc/libfido2/fido_assert_set_sig.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_new.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_free.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_fmt.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_authdata_ptr.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_clientdata_hash_ptr.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_id_ptr.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_pubkey_ptr.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_sig_ptr.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_x5c_ptr.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_authdata_len.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_clientdata_hash_len.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_id_len.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_pubkey_len.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_sig_len.html
+/usr/share/doc/libfido2/fido_cred.html /usr/share/doc/libfido2/fido_cred_x5c_len.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_authdata.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_x509.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_sig.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_clientdata_hash.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_rp.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_user.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_options.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_fmt.html
+/usr/share/doc/libfido2/fido_cred_set.html /usr/share/doc/libfido2/fido_cred_set_type.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_new.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_free.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_ptr.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_path.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_product.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_vendor.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_docufacturer_string.html
+/usr/share/doc/libfido2/fido_dev_info_manifest.html /usr/share/doc/libfido2/fido_dev_info_product_string.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_close.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_new.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_free.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_is_fido2.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_protocol.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_build.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_flags.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_major.html
+/usr/share/doc/libfido2/fido_dev_open.html /usr/share/doc/libfido2/fido_dev_minor.html
+/usr/share/doc/libfido2/fido_dev_set_pin.html /usr/share/doc/libfido2/fido_dev_get_retry_count.html
+/usr/share/doc/libfido2/fido_dev_set_pin.html /usr/share/doc/libfido2/fido_dev_reset.html
+/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_new.html
+/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_free.html
+/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_from_RSA.html
+/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_from_ptr.html
+/usr/share/doc/libfido2/rs256_pk.html /usr/share/doc/libfido2/rs256_pk_to_EVP_PKEY.html
diff --git a/debian/libfido2-dev.manpages b/debian/libfido2-dev.manpages
new file mode 100644
index 0000000..1dab8b8
--- /dev/null
+++ b/debian/libfido2-dev.manpages
@@ -0,0 +1,19 @@
+man/es256_pk.3
+man/fido.3
+man/fido_assert.3
+man/fido_assert_allow_cred.3
+man/fido_assert_set.3
+man/fido_assert_verify.3
+man/fido_cbor_info.3
+man/fido_cred.3
+man/fido_cred_exclude.3
+man/fido_cred_set.3
+man/fido_cred_verify.3
+man/fido_dev_get_assert.3
+man/fido_dev_info_manifest.3
+man/fido_dev_make_cred.3
+man/fido_dev_open.3
+man/fido_dev_set_io_functions.3
+man/fido_dev_set_pin.3
+man/fido_strerr.3
+man/rs256_pk.3
diff --git a/debian/libfido2-udev.install b/debian/libfido2-udev.install
new file mode 100644
index 0000000..528cb53
--- /dev/null
+++ b/debian/libfido2-udev.install
@@ -0,0 +1 @@
+lib/udev/rules.d
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..bb7acbc
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,9 @@
+#!/usr/bin/make -f
+
+DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
+
+%:
+        dh $@
+
+override_dh_auto_configure:
+        dh_auto_configure -- -DUDEV_RULES_DIR=/lib/udev/rules.d
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/fuzz/report.html.gz b/fuzz/report.html.gz
new file mode 100644
index 0000000..9f07223
--- /dev/null
+++ b/fuzz/report.html.gz
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index d1d8652..bee126c 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -18,6 +18,7 @@
 #if defined(__APPLE__) && !defined(HAVE_ENDIAN_H)
 #include <libkern/OSByteOrder.h>
 #define be16toh(x) OSSwapBigToHostInt16((x))
+#define htobe16(x) OSSwapHostToBigInt16((x))
 #define be32toh(x) OSSwapBigToHostInt32((x))
 #endif /* __APPLE__ && !HAVE_ENDIAN_H */
 
@@ -27,6 +28,7 @@
 #include <sys/param.h>
 #endif
 #define be16toh(x) ntohs((x))
+#define htobe16(x) htons((x))
 #define be32toh(x) ntohl((x))
 #endif /* _WIN32 && !HAVE_ENDIAN_H */
 
diff --git a/src/iso7816.c b/src/iso7816.c
index e2ea281..a3fd280 100644
--- a/src/iso7816.c
+++ b/src/iso7816.c
@@ -13,7 +13,7 @@ iso7816_new(uint8_t ins, uint8_t p1, uint16_t payload_len)
         iso7816_apdu_t  *apdu;
         size_t           alloc_len;
 
-        alloc_len = sizeof(iso7816_apdu_t) + payload_len;
+        alloc_len = sizeof(iso7816_apdu_t) + payload_len + 2; /* le1 le2 */
 
         if ((apdu = calloc(1, alloc_len)) == NULL)
                 return (NULL);
diff --git a/src/u2f.c b/src/u2f.c
index 3f2d9aa..82b289f 100644
--- a/src/u2f.c
+++ b/src/u2f.c
@@ -439,7 +439,7 @@ encode_cred_authdata(const char *rp_id, const uint8_t *kh, uint8_t kh_len,
         authdata.sigcount = 0;
 
         memset(&attcred_raw.aaguid, 0, sizeof(attcred_raw.aaguid));
-        attcred_raw.id_len = (uint16_t)(kh_len << 8); /* XXX */
+        attcred_raw.id_len = htobe16(kh_len);
 
         len = authdata_blob.len = sizeof(authdata) + sizeof(attcred_raw) +
             kh_len + pk_blob.len;
diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
index 5f27e88..4b8ef32 100644
--- a/tools/CMakeLists.txt
+++ b/tools/CMakeLists.txt
@@ -49,17 +49,10 @@ add_executable(fido2-token
         ${COMPAT_SOURCES}
 )
 
-add_library(sk-libfido2 MODULE sk-libfido2.c)
-set_target_properties(sk-libfido2 PROPERTIES
-        COMPILE_FLAGS "-DSK_STANDALONE -DWITH_OPENSSL"
-        OUTPUT_NAME sk-libfido2
-)
 
 target_link_libraries(fido2-cred ${CRYPTO_LIBRARIES} fido2_shared)
 target_link_libraries(fido2-assert ${CRYPTO_LIBRARIES} fido2_shared)
 target_link_libraries(fido2-token ${CRYPTO_LIBRARIES} fido2_shared)
-target_link_libraries(sk-libfido2 ${CRYPTO_LIBRARIES} fido2_shared)
 
 install(TARGETS fido2-cred fido2-assert fido2-token
         DESTINATION ${CMAKE_INSTALL_BINDIR})
-install(TARGETS sk-libfido2 DESTINATION ${CMAKE_INSTALL_LIBDIR})
diff --git a/tools/sk-libfido2.c b/tools/sk-libfido2.c
deleted file mode 100644
index 15aa813..0000000
--- a/tools/sk-libfido2.c
+++ /dev/null
@@ -1,784 +0,0 @@
-/*
- * Copyright (c) 2019 Markus Friedl
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <fcntl.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <stddef.h>
-#include <stdarg.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-#ifdef WITH_OPENSSL
-#include <openssl/opensslv.h>
-#include <openssl/crypto.h>
-#include <openssl/bn.h>
-#include <openssl/ec.h>
-#include <openssl/ecdsa.h>
-#endif /* WITH_OPENSSL */
-
-#include <fido.h>
-
-#ifndef SK_STANDALONE
-#include "log.h"
-#include "xmalloc.h"
-#endif
-
-/* #define SK_DEBUG 1 */
-
-#if defined(_WIN32)
-#include <windows.h>
-#include <winternl.h>
-#include <winerror.h>
-#include <bcrypt.h>
-#include <sal.h>
-#endif 
-
-#define MAX_FIDO_DEVICES        256
-
-/* Compatibility with OpenSSL 1.0.x */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-#define ECDSA_SIG_get0(sig, pr, ps) \
-        do { \
-                (*pr) = sig->r; \
-                (*ps) = sig->s; \
-        } while (0)
-#endif
-
-#define SK_VERSION_MAJOR        0x00020000 /* current API version */
-
-/* Flags */
-#define SK_USER_PRESENCE_REQD   0x01
-
-/* Algs */
-#define SK_ECDSA                0x00
-#define SK_ED25519              0x01
-
-struct sk_enroll_response {
-        uint8_t *public_key;
-        size_t public_key_len;
-        uint8_t *key_handle;
-        size_t key_handle_len;
-        uint8_t *signature;
-        size_t signature_len;
-        uint8_t *attestation_cert;
-        size_t attestation_cert_len;
-};
-
-struct sk_sign_response {
-        uint8_t flags;
-        uint32_t counter;
-        uint8_t *sig_r;
-        size_t sig_r_len;
-        uint8_t *sig_s;
-        size_t sig_s_len;
-};
-
-/* If building as part of OpenSSH, then rename exported functions */
-#if !defined(SK_STANDALONE)
-#define sk_api_version  ssh_sk_api_version
-#define sk_enroll       ssh_sk_enroll
-#define sk_sign         ssh_sk_sign
-#endif
-
-/* Return the version of the middleware API */
-uint32_t sk_api_version(void);
-
-/* Enroll a U2F key (private key generation) */
-int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
-    const char *application, uint8_t flags,
-    struct sk_enroll_response **enroll_response);
-
-/* Sign a challenge */
-int sk_sign(int alg, const uint8_t *message, size_t message_len,
-    const char *application, const uint8_t *key_handle, size_t key_handle_len,
-    uint8_t flags, struct sk_sign_response **sign_response);
-
-#ifdef SK_DEBUG
-static void skdebug(const char *func, const char *fmt, ...)
-    __attribute__((__format__ (printf, 2, 3)));
-
-static void
-skdebug(const char *func, const char *fmt, ...)
-{
-#if !defined(SK_STANDALONE)
-        char *msg;
-        va_list ap;
-
-        va_start(ap, fmt);
-        xvasprintf(&msg, fmt, ap);
-        va_end(ap);
-        debug("%s: %s", func, msg);
-        free(msg);
-#else
-        va_list ap;
-
-        va_start(ap, fmt);
-        fprintf(stderr, "%s: ", func);
-        vfprintf(stderr, fmt, ap);
-        fputc('\n', stderr);
-        va_end(ap);
-#endif /* !SK_STANDALONE */
-}
-#else
-#define skdebug(...) do { /* nothing */ } while (0)
-#endif /* SK_DEBUG */
-
-uint32_t
-sk_api_version(void)
-{
-        return SK_VERSION_MAJOR;
-}
-
-/* Select the first identified FIDO device attached to the system */
-static char *
-pick_first_device(void)
-{
-        char *ret = NULL;
-        fido_dev_info_t *devlist = NULL;
-        size_t olen = 0;
-        int r;
-        const fido_dev_info_t *di;
-
-        if ((devlist = fido_dev_info_new(1)) == NULL) {
-                skdebug(__func__, "fido_dev_info_new failed");
-                goto out;
-        }
-        if ((r = fido_dev_info_manifest(devlist, 1, &olen)) != FIDO_OK) {
-                skdebug(__func__, "fido_dev_info_manifest failed: %s",
-                    fido_strerr(r));
-                goto out;
-        }
-        if (olen != 1) {
-                skdebug(__func__, "fido_dev_info_manifest bad len %zu", olen);
-                goto out;
-        }
-        di = fido_dev_info_ptr(devlist, 0);
-        if ((ret = strdup(fido_dev_info_path(di))) == NULL) {
-                skdebug(__func__, "fido_dev_info_path failed");
-                goto out;
-        }
- out:
-        fido_dev_info_free(&devlist, 1);
-        return ret;
-}
-
-#if defined(HAVE_ARC4RANDOM_BUF)
-static int
-get_random_challenge(uint8_t *ptr, size_t len)
-{
-        arc4random_buf(ptr, len);
-
-        return 0;
-}
-#elif defined(HAVE_GETENTROPY)
-static int
-get_random_challenge(uint8_t *ptr, size_t len)
-{
-        if (getentropy(ptr, len) == -1) {
-                skdebug(__func__, "getentropy failed");
-                return -1;
-        }
-
-        return 0;
-}
-#elif defined(HAS_DEV_URANDOM)
-static int
-get_random_challenge(uint8_t *ptr, size_t len)
-{
-        int fd;
-        ssize_t n;
-
-        if ((fd = open(FIDO_RANDOM_DEV, O_RDONLY)) < 0) {
-                skdebug(__func__, "open %s failed", FIDO_RANDOM_DEV);
-                return -1;
-        }
-
-        n = read(fd, ptr, len);
-        close(fd);
-
-        if (n < 0 || (size_t)n != len) {
-                skdebug(__func__, "read from %s failed", FIDO_RANDOM_DEV);
-                return -1;
-        }
-
-        return 0;
-}
-#elif defined(_WIN32)
-static int
-get_random_challenge(uint8_t *ptr, size_t len)
-{
-        NTSTATUS status;
-
-        status = BCryptGenRandom(NULL, ptr, len,
-            BCRYPT_USE_SYSTEM_PREFERRED_RNG);
-        if (!NT_SUCCESS(status))
-                return -1;
-
-        return 0;
-}
-#else
-#error "please provide an implementation of get_random_challenge() for your platform"
-#endif
-
-/* Check if the specified key handle exists on a given device. */
-static int
-try_device(fido_dev_t *dev, const char *application,
-    const uint8_t *key_handle, size_t key_handle_len)
-{
-        fido_assert_t *assert = NULL;
-        uint8_t challenge[32];
-        int r = FIDO_ERR_INTERNAL;
-
-        if (get_random_challenge(challenge, sizeof(challenge)) == -1) {
-                skdebug(__func__, "get_random_challenge failed");
-                goto out;
-        }
-
-        if ((assert = fido_assert_new()) == NULL) {
-                skdebug(__func__, "fido_assert_new failed");
-                goto out;
-        }
-        if ((r = fido_assert_set_clientdata_hash(assert, challenge,
-            sizeof(challenge))) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
-                    fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_assert_allow_cred(assert, key_handle,
-            key_handle_len)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_up: %s", fido_strerr(r));
-                goto out;
-        }
-        r = fido_dev_get_assert(dev, assert, NULL);
-        skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
-        if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) {
-                /* U2F tokens may return this */
-                r = FIDO_OK;
-        }
- out:
-        fido_assert_free(&assert);
-
-        return r != FIDO_OK ? -1 : 0;
-}
-
-/* Iterate over configured devices looking for a specific key handle */
-static fido_dev_t *
-find_device(const char *application, const uint8_t *key_handle,
-    size_t key_handle_len)
-{
-        fido_dev_info_t *devlist = NULL;
-        fido_dev_t *dev = NULL;
-        size_t devlist_len = 0, i;
-        const char *path;
-        int r;
-
-        if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) {
-                skdebug(__func__, "fido_dev_info_new failed");
-                goto out;
-        }
-        if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES,
-            &devlist_len)) != FIDO_OK) {
-                skdebug(__func__, "fido_dev_info_manifest: %s", fido_strerr(r));
-                goto out;
-        }
-
-        skdebug(__func__, "found %zu device(s)", devlist_len);
-
-        for (i = 0; i < devlist_len; i++) {
-                const fido_dev_info_t *di = fido_dev_info_ptr(devlist, i);
-
-                if (di == NULL) {
-                        skdebug(__func__, "fido_dev_info_ptr %zu failed", i);
-                        continue;
-                }
-                if ((path = fido_dev_info_path(di)) == NULL) {
-                        skdebug(__func__, "fido_dev_info_path %zu failed", i);
-                        continue;
-                }
-                skdebug(__func__, "trying device %zu: %s", i, path);
-                if ((dev = fido_dev_new()) == NULL) {
-                        skdebug(__func__, "fido_dev_new failed");
-                        continue;
-                }
-                if ((r = fido_dev_open(dev, path)) != FIDO_OK) {
-                        skdebug(__func__, "fido_dev_open failed");
-                        fido_dev_free(&dev);
-                        continue;
-                }
-                if (try_device(dev, application, key_handle,
-                    key_handle_len) == 0) {
-                        skdebug(__func__, "found key");
-                        break;
-                }
-                fido_dev_close(dev);
-                fido_dev_free(&dev);
-        }
-
- out:
-        if (devlist != NULL)
-                fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
-
-        return dev;
-}
-
-#ifdef WITH_OPENSSL
-/*
- * The key returned via fido_cred_pubkey_ptr() is in affine coordinates,
- * but the API expects a SEC1 octet string.
- */
-static int
-pack_public_key_ecdsa(fido_cred_t *cred, struct sk_enroll_response *response)
-{
-        const uint8_t *ptr;
-        BIGNUM *x = NULL, *y = NULL;
-        EC_POINT *q = NULL;
-        EC_GROUP *g = NULL;
-        int ret = -1;
-
-        response->public_key = NULL;
-        response->public_key_len = 0;
-
-        if ((x = BN_new()) == NULL ||
-            (y = BN_new()) == NULL ||
-            (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL ||
-            (q = EC_POINT_new(g)) == NULL) {
-                skdebug(__func__, "libcrypto setup failed");
-                goto out;
-        }
-        if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
-                skdebug(__func__, "fido_cred_pubkey_ptr failed");
-                goto out;
-        }
-        if (fido_cred_pubkey_len(cred) != 64) {
-                skdebug(__func__, "bad fido_cred_pubkey_len %zu",
-                    fido_cred_pubkey_len(cred));
-                goto out;
-        }
-
-        if (BN_bin2bn(ptr, 32, x) == NULL ||
-            BN_bin2bn(ptr + 32, 32, y) == NULL) {
-                skdebug(__func__, "BN_bin2bn failed");
-                goto out;
-        }
-        if (EC_POINT_set_affine_coordinates_GFp(g, q, x, y, NULL) != 1) {
-                skdebug(__func__, "EC_POINT_set_affine_coordinates_GFp failed");
-                goto out;
-        }
-        response->public_key_len = EC_POINT_point2oct(g, q,
-            POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
-        if (response->public_key_len == 0 || response->public_key_len > 2048) {
-                skdebug(__func__, "bad pubkey length %zu",
-                    response->public_key_len);
-                goto out;
-        }
-        if ((response->public_key = malloc(response->public_key_len)) == NULL) {
-                skdebug(__func__, "malloc pubkey failed");
-                goto out;
-        }
-        if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
-            response->public_key, response->public_key_len, NULL) == 0) {
-                skdebug(__func__, "EC_POINT_point2oct failed");
-                goto out;
-        }
-        /* success */
-        ret = 0;
- out:
-        if (ret != 0 && response->public_key != NULL) {
-                memset(response->public_key, 0, response->public_key_len);
-                free(response->public_key);
-                response->public_key = NULL;
-        }
-        EC_POINT_free(q);
-        EC_GROUP_free(g);
-        BN_clear_free(x);
-        BN_clear_free(y);
-        return ret;
-}
-#endif /* WITH_OPENSSL */
-
-static int
-pack_public_key_ed25519(fido_cred_t *cred, struct sk_enroll_response *response)
-{
-        const uint8_t *ptr;
-        size_t len;
-        int ret = -1;
-
-        response->public_key = NULL;
-        response->public_key_len = 0;
-
-        if ((len = fido_cred_pubkey_len(cred)) != 32) {
-                skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len);
-                goto out;
-        }
-        if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
-                skdebug(__func__, "fido_cred_pubkey_ptr failed");
-                goto out;
-        }
-        response->public_key_len = len;
-        if ((response->public_key = malloc(response->public_key_len)) == NULL) {
-                skdebug(__func__, "malloc pubkey failed");
-                goto out;
-        }
-        memcpy(response->public_key, ptr, len);
-        ret = 0;
- out:
-        if (ret != 0)
-                free(response->public_key);
-        return ret;
-}
-
-static int
-pack_public_key(int alg, fido_cred_t *cred, struct sk_enroll_response *response)
-{
-        switch(alg) {
-#ifdef WITH_OPENSSL
-        case SK_ECDSA:
-                return pack_public_key_ecdsa(cred, response);
-#endif /* WITH_OPENSSL */
-        case SK_ED25519:
-                return pack_public_key_ed25519(cred, response);
-        default:
-                return -1;
-        }
-}
-
-int
-sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
-    const char *application, uint8_t flags,
-    struct sk_enroll_response **enroll_response)
-{
-        fido_cred_t *cred = NULL;
-        fido_dev_t *dev = NULL;
-        const uint8_t *ptr;
-        uint8_t user_id[32];
-        struct sk_enroll_response *response = NULL;
-        size_t len;
-        int cose_alg;
-        int ret = -1;
-        int r;
-        char *device = NULL;
-
-        (void)flags; /* XXX; unused */
-#ifdef SK_DEBUG
-        fido_init(FIDO_DEBUG);
-#endif
-        if (enroll_response == NULL) {
-                skdebug(__func__, "enroll_response == NULL");
-                goto out;
-        }
-        *enroll_response = NULL;
-        switch(alg) {
-#ifdef WITH_OPENSSL
-        case SK_ECDSA:
-                cose_alg = COSE_ES256;
-                break;
-#endif /* WITH_OPENSSL */
-        case SK_ED25519:
-                cose_alg = COSE_EDDSA;
-                break;
-        default:
-                skdebug(__func__, "unsupported key type %d", alg);
-                goto out;
-        }
-        if ((device = pick_first_device()) == NULL) {
-                skdebug(__func__, "pick_first_device failed");
-                goto out;
-        }
-        skdebug(__func__, "using device %s", device);
-        if ((cred = fido_cred_new()) == NULL) {
-                skdebug(__func__, "fido_cred_new failed");
-                goto out;
-        }
-        memset(user_id, 0, sizeof(user_id));
-        if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) {
-                skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_cred_set_clientdata_hash(cred, challenge,
-            challenge_len)) != FIDO_OK) {
-                skdebug(__func__, "fido_cred_set_clientdata_hash: %s",
-                    fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
-            "openssh", "openssh", NULL)) != FIDO_OK) {
-                skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) {
-                skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((dev = fido_dev_new()) == NULL) {
-                skdebug(__func__, "fido_dev_new failed");
-                goto out;
-        }
-        if ((r = fido_dev_open(dev, device)) != FIDO_OK) {
-                skdebug(__func__, "fido_dev_open: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_dev_make_cred(dev, cred, NULL)) != FIDO_OK) {
-                skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r));
-                goto out;
-        }
-        if (fido_cred_x5c_ptr(cred) != NULL) {
-                if ((r = fido_cred_verify(cred)) != FIDO_OK) {
-                        skdebug(__func__, "fido_cred_verify: %s",
-                            fido_strerr(r));
-                        goto out;
-                }
-        } else {
-                skdebug(__func__, "self-attested credential");
-                if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
-                        skdebug(__func__, "fido_cred_verify_self: %s",
-                            fido_strerr(r));
-                        goto out;
-                }
-        }
-        if ((response = calloc(1, sizeof(*response))) == NULL) {
-                skdebug(__func__, "calloc response failed");
-                goto out;
-        }
-        if (pack_public_key(alg, cred, response) != 0) {
-                skdebug(__func__, "pack_public_key failed");
-                goto out;
-        }
-        if ((ptr = fido_cred_id_ptr(cred)) != NULL) {
-                len = fido_cred_id_len(cred);
-                if ((response->key_handle = calloc(1, len)) == NULL) {
-                        skdebug(__func__, "calloc key handle failed");
-                        goto out;
-                }
-                memcpy(response->key_handle, ptr, len);
-                response->key_handle_len = len;
-        }
-        if ((ptr = fido_cred_sig_ptr(cred)) != NULL) {
-                len = fido_cred_sig_len(cred);
-                if ((response->signature = calloc(1, len)) == NULL) {
-                        skdebug(__func__, "calloc signature failed");
-                        goto out;
-                }
-                memcpy(response->signature, ptr, len);
-                response->signature_len = len;
-        }
-        if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
-                len = fido_cred_x5c_len(cred);
-                if ((response->attestation_cert = calloc(1, len)) == NULL) {
-                        skdebug(__func__, "calloc attestation cert failed");
-                        goto out;
-                }
-                memcpy(response->attestation_cert, ptr, len);
-                response->attestation_cert_len = len;
-        }
-        *enroll_response = response;
-        response = NULL;
-        ret = 0;
- out:
-        free(device);
-        if (response != NULL) {
-                free(response->public_key);
-                free(response->key_handle);
-                free(response->signature);
-                free(response->attestation_cert);
-                free(response);
-        }
-        if (dev != NULL) {
-                fido_dev_close(dev);
-                fido_dev_free(&dev);
-        }
-        if (cred != NULL) {
-                fido_cred_free(&cred);
-        }
-        return ret;
-}
-
-#ifdef WITH_OPENSSL
-static int
-pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response)
-{
-        ECDSA_SIG *sig = NULL;
-        const BIGNUM *sig_r, *sig_s;
-        const unsigned char *cp;
-        size_t sig_len;
-        int ret = -1;
-
-        cp = fido_assert_sig_ptr(assert, 0);
-        sig_len = fido_assert_sig_len(assert, 0);
-        if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) {
-                skdebug(__func__, "d2i_ECDSA_SIG failed");
-                goto out;
-        }
-        ECDSA_SIG_get0(sig, &sig_r, &sig_s);
-        response->sig_r_len = BN_num_bytes(sig_r);
-        response->sig_s_len = BN_num_bytes(sig_s);
-        if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
-            (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
-                skdebug(__func__, "calloc signature failed");
-                goto out;
-        }
-        BN_bn2bin(sig_r, response->sig_r);
-        BN_bn2bin(sig_s, response->sig_s);
-        ret = 0;
- out:
-        ECDSA_SIG_free(sig);
-        if (ret != 0) {
-                free(response->sig_r);
-                free(response->sig_s);
-                response->sig_r = NULL;
-                response->sig_s = NULL;
-        }
-        return ret;
-}
-#endif /* WITH_OPENSSL */
-
-static int
-pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response)
-{
-        const unsigned char *ptr;
-        size_t len;
-        int ret = -1;
-
-        ptr = fido_assert_sig_ptr(assert, 0);
-        len = fido_assert_sig_len(assert, 0);
-        if (len != 64) {
-                skdebug(__func__, "bad length %zu", len);
-                goto out;
-        }
-        response->sig_r_len = len;
-        if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
-                skdebug(__func__, "calloc signature failed");
-                goto out;
-        }
-        memcpy(response->sig_r, ptr, len);
-        ret = 0;
- out:
-        if (ret != 0) {
-                free(response->sig_r);
-                response->sig_r = NULL;
-        }
-        return ret;
-}
-
-static int
-pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response)
-{
-        switch(alg) {
-#ifdef WITH_OPENSSL
-        case SK_ECDSA:
-                return pack_sig_ecdsa(assert, response);
-#endif /* WITH_OPENSSL */
-        case SK_ED25519:
-                return pack_sig_ed25519(assert, response);
-        default:
-                return -1;
-        }
-}
-
-int
-sk_sign(int alg, const uint8_t *message, size_t message_len,
-    const char *application,
-    const uint8_t *key_handle, size_t key_handle_len,
-    uint8_t flags, struct sk_sign_response **sign_response)
-{
-        fido_assert_t *assert = NULL;
-        fido_dev_t *dev = NULL;
-        struct sk_sign_response *response = NULL;
-        int ret = -1;
-        int r;
-
-#ifdef SK_DEBUG
-        fido_init(FIDO_DEBUG);
-#endif
-
-        if (sign_response == NULL) {
-                skdebug(__func__, "sign_response == NULL");
-                goto out;
-        }
-        *sign_response = NULL;
-        if ((dev = find_device(application, key_handle,
-            key_handle_len)) == NULL) {
-                skdebug(__func__, "couldn't find device for key handle");
-                goto out;
-        }
-        if ((assert = fido_assert_new()) == NULL) {
-                skdebug(__func__, "fido_assert_new failed");
-                goto out;
-        }
-        if ((r = fido_assert_set_clientdata_hash(assert, message,
-            message_len)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
-                    fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_assert_allow_cred(assert, key_handle,
-            key_handle_len)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_assert_set_up(assert,
-            (flags & SK_USER_PRESENCE_REQD) ?
-            FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) {
-                skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((r = fido_dev_get_assert(dev, assert, NULL)) != FIDO_OK) {
-                skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
-                goto out;
-        }
-        if ((response = calloc(1, sizeof(*response))) == NULL) {
-                skdebug(__func__, "calloc response failed");
-                goto out;
-        }
-        response->flags = fido_assert_flags(assert, 0);
-        response->counter = fido_assert_sigcount(assert, 0);
-        if (pack_sig(alg, assert, response) != 0) {
-                skdebug(__func__, "pack_sig failed");
-                goto out;
-        }
-        *sign_response = response;
-        response = NULL;
-        ret = 0;
- out:
-        if (response != NULL) {
-                free(response->sig_r);
-                free(response->sig_s);
-                free(response);
-        }
-        if (dev != NULL) {
-                fido_dev_close(dev);
-                fido_dev_free(&dev);
-        }
-        if (assert != NULL) {
-                fido_assert_free(&assert);
-        }
-        return ret;
-}
diff --git a/udev/70-u2f.rules b/udev/70-u2f.rules
index 8dc20a1..3932270 100644
--- a/udev/70-u2f.rules
+++ b/udev/70-u2f.rules
@@ -35,8 +35,11 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2abe", ATTRS{idProduct
 # Thetis Key
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660"
 
-# Nitrokey FIDO U2F
-KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+# Nitrokey FIDO U2F, Nitrokey FIDO2
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287|42b1", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Safetech SafeKey
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b3", TAG+="uaccess", GROUP="plugdev", MODE="0660"
 
 # Google Titan U2F
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"