Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/pam-u2f/dist Import version 1.2.0
details: https://anonhg.NetBSD.org/src/rev/6f747a1f64d1
branches: trunk
changeset: 1023717:6f747a1f64d1
user: christos <christos%NetBSD.org@localhost>
date: Fri Sep 24 12:51:20 2021 +0000
description:
Import version 1.2.0
* Version 1.2.0 (released 2021-09-22)
** Added support for EdDSA keys.
** Added support for SSH ed25519-sk keys.
** Added authenticator filtering based on user verification options.
** Fixed an issue with privilege restoration on MacOS.
** Fixed an issue where credentials created with pamu2fcfg 1.0.8 or earlier
were not handled correctly if their origin and appid differed.
** Miscellaneous improvements to the documentation.
** Miscellaneous minor bug fixes found by fuzzing.
* Version 1.1.1 (released 2021-05-19)
** Fix an issue where PIN authentication could be bypassed (CVE-2021-31924).
** Fix an issue with nodetect and non-resident credentials.
** Fix build issues with musl libc.
** Add support for self-attestation in pamu2fcfg.
** Fix minor bugs found by fuzzing.
* Version 1.1.0 (released 2020-09-17)
** Add support to FIDO2 (move from libu2f-host+libu2f-server to libfido2).
** Add support to User Verification
** Add support to PIN Verification
** Add support to Resident Credentials
** Add support to SSH credential format
diffstat:
external/bsd/pam-u2f/dist/.github/workflows/alpine_builds.yml | 49 +
external/bsd/pam-u2f/dist/.github/workflows/codeql-analysis.yml | 34 +
external/bsd/pam-u2f/dist/.github/workflows/format.yml | 32 +
external/bsd/pam-u2f/dist/.github/workflows/linux_builds.yml | 48 +
external/bsd/pam-u2f/dist/.github/workflows/linux_fuzz.yml | 29 +
external/bsd/pam-u2f/dist/.github/workflows/macos_builds.yml | 20 +
external/bsd/pam-u2f/dist/.github/workflows/scan.yml | 39 +
external/bsd/pam-u2f/dist/Makefile.am | 58 +-
external/bsd/pam-u2f/dist/NEWS | 26 +-
external/bsd/pam-u2f/dist/README | 362 +-
external/bsd/pam-u2f/dist/build-aux/ci/build-linux-clang.sh | 19 +
external/bsd/pam-u2f/dist/build-aux/ci/build-linux-gcc.sh | 10 +
external/bsd/pam-u2f/dist/build-aux/ci/build-osx.sh | 6 +-
external/bsd/pam-u2f/dist/build-aux/ci/distcheck.sh | 10 +
external/bsd/pam-u2f/dist/build-aux/ci/format-code.sh | 16 +-
external/bsd/pam-u2f/dist/build-aux/ci/fuzz-linux-asan.sh | 72 +
external/bsd/pam-u2f/dist/configure.ac | 91 +-
external/bsd/pam-u2f/dist/fuzz/Makefile.am | 15 +
external/bsd/pam-u2f/dist/fuzz/authfile.h | 29 +
external/bsd/pam-u2f/dist/fuzz/coverage.sh | 15 +
external/bsd/pam-u2f/dist/fuzz/fuzz.h | 36 +
external/bsd/pam-u2f/dist/fuzz/fuzz_auth.c | 315 ++
external/bsd/pam-u2f/dist/fuzz/fuzz_format_parsers.c | 97 +
external/bsd/pam-u2f/dist/fuzz/make_seed.py | 28 +
external/bsd/pam-u2f/dist/fuzz/pack.c | 79 +
external/bsd/pam-u2f/dist/fuzz/wiredata.h | 135 +
external/bsd/pam-u2f/dist/fuzz/wrap.c | 272 ++
external/bsd/pam-u2f/dist/man/pam_u2f.8.txt | 192 +-
external/bsd/pam-u2f/dist/man/pamu2fcfg.1.txt | 15 +-
external/bsd/pam-u2f/dist/pamu2fcfg/Makefile.am | 5 +-
external/bsd/pam-u2f/dist/pamu2fcfg/cmdline.ggo | 8 +-
external/bsd/pam-u2f/dist/pamu2fcfg/openbsd-compat.h | 20 +
external/bsd/pam-u2f/dist/pamu2fcfg/pamu2fcfg.c | 467 ++-
external/bsd/pam-u2f/dist/pamu2fcfg/strlcpy.c | 62 +
external/bsd/pam-u2f/dist/tests/Makefile.am | 5 +-
external/bsd/pam-u2f/dist/tests/basic.c | 8 +-
external/bsd/pam-u2f/dist/tests/credentials/new_-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-P-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-P-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-P-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-P.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-P-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-P-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-P-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-P.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_-r.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-P-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-P-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-P-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-P.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-P-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-P-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-P-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-P.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-V-N.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r-V.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_-r.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_double_.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_mixed_-P1-P2.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_mixed_-P12.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_mixed_1-P2.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/new_mixed_12.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/old_credential.cred.in | 1 +
external/bsd/pam-u2f/dist/tests/credentials/ssh_credential.cred.in | 10 +
external/bsd/pam-u2f/dist/tests/get_devices.c | 1196 ++++++++++
external/bsd/pam-u2f/dist/tests/regenerate_credentials.py | 144 +
76 files changed, 3656 insertions(+), 455 deletions(-)
diffs (truncated from 4949 to 300 lines):
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/alpine_builds.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/alpine_builds.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,49 @@
+name: alpine
+
+on: [push, pull_request]
+
+jobs:
+ build:
+ runs-on: ubuntu-20.04
+ container: alpine:latest
+ strategy:
+ fail-fast: false
+ matrix:
+ cc: [ gcc, clang ]
+ steps:
+ - name: dependencies
+ run: |
+ apk -q update
+ apk add build-base clang clang-analyzer cmake coreutils eudev-dev
+ apk add git linux-headers openssl-dev zlib-dev
+ apk add autoconf automake libtool linux-pam-dev gengetopt
+ - name: checkout pam-u2f
+ uses: actions/checkout@v2
+ - name: checkout libcbor
+ uses: actions/checkout@v2
+ with:
+ repository: PJK/libcbor
+ path: libcbor
+ ref: v0.8.0
+ - name: checkout libfido2
+ uses: actions/checkout@v2
+ with:
+ repository: Yubico/libfido2
+ path: libfido2
+ ref: 1.7.0
+ - name: install libcbor
+ run: |
+ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_LIBDIR=lib .
+ make -j"$(nproc)" && make install
+ working-directory: libcbor
+ - name: install libfido2
+ run: |
+ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_LIBDIR=lib .
+ make -j"$(nproc)" && make install
+ working-directory: libfido2
+ - name: build
+ env:
+ CC: ${{ matrix.cc }}
+ USER: root
+ run: |
+ /bin/bash -eux build-aux/ci/build-linux-${CC%-*}.sh
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/codeql-analysis.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/codeql-analysis.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,34 @@
+name: "Code scanning - action"
+
+on:
+ push:
+ pull_request:
+ schedule:
+ - cron: '0 8 * * 6'
+
+jobs:
+ CodeQL-Build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v2
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v1
+
+ - name: Build project
+ run: |
+ sudo apt -q update
+ sudo apt install -y libpam-dev asciidoc autoconf automake libtool \
+ software-properties-common libssl-dev pkg-config gengetopt
+ sudo apt-add-repository -u -y ppa:yubico/stable
+ sudo apt install -y libfido2-dev
+ ./autogen.sh
+ ./configure --disable-man
+ make
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v1
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/format.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/format.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,32 @@
+name: format
+
+on: [push, pull_request]
+
+jobs:
+ format:
+ runs-on: ubuntu-18.04
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ fetch-depth: 0
+ - name: Dependencies
+ run: |
+ sudo apt -q update
+ sudo apt install -q -y clang-format-6.0
+ - name: Check
+ run: |
+ if [[ -n "${GITHUB_BASE_REF}" ]]; then
+ # pull request, check head branch against base branch
+ GITHUB_BEFORE="$(git ls-remote origin "${GITHUB_BASE_REF}" | cut -f1)"
+ elif [[ "${GITHUB_REF}" != "refs/heads/master" ]]; then
+ # workflow triggered from some branch other than master, assume that
+ # the branch will eventually be merged into master
+ GITHUB_BEFORE="$(git ls-remote origin refs/heads/master | cut -f1)"
+ else
+ # master branch, compare against previous state
+ # (jq comes preinstalled on github runners)
+ GITHUB_BEFORE="$(jq -r '.before' "${GITHUB_EVENT_PATH}")"
+ fi
+
+ # github interleaves stderr and stdout, redirect everything to stdout
+ /bin/bash -eu build-aux/ci/format-code.sh "${GITHUB_BEFORE}..${GITHUB_SHA}" 2>&1
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/linux_builds.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/linux_builds.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,48 @@
+name: linux
+
+on: [push, pull_request]
+
+jobs:
+ build:
+ runs-on: ${{ matrix.os }}
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - os: ubuntu-20.04
+ cc: gcc-10
+ - os: ubuntu-20.04
+ cc: clang-11
+ - os: ubuntu-18.04
+ cc: gcc-10
+ - os: ubuntu-18.04
+ cc: clang-10
+ steps:
+ - uses: actions/checkout@v2
+ - name: Setup
+ if: ${{ matrix.os == 'ubuntu-18.04' }}
+ run: |
+ sudo add-apt-repository -y ppa:yubico/stable
+ - name: dependencies
+ env:
+ CC: ${{ matrix.cc }}
+ run: |
+ sudo apt -q update
+ sudo apt install --no-install-recommends -q -y \
+ autoconf automake libtool pkg-config libfido2-dev libpam-dev \
+ gengetopt git2cl asciidoc-base xsltproc
+ if [ "${CC%-*}" == "clang" ]; then
+ sudo apt install -q -y ${CC%-*}-tools-${CC#clang-}
+ else
+ sudo apt install -q -y "${CC}"
+ fi
+ - name: build
+ env:
+ CC: ${{ matrix.cc }}
+ run: |
+ /bin/bash -eux build-aux/ci/build-linux-${CC%-*}.sh
+ - name: distcheck
+ env:
+ CC: ${{ matrix.cc }}
+ run: |
+ /bin/bash -eux build-aux/ci/distcheck.sh
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/linux_fuzz.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/linux_fuzz.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,29 @@
+name: fuzzer
+
+on: [push, pull_request]
+
+jobs:
+ build:
+ runs-on: ${{ matrix.os }}
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-20.04]
+ cc: [clang-10]
+ sanitizer: [asan]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Dependencies
+ env:
+ CC: ${{ matrix.cc }}
+ run: |
+ sudo apt -q update
+ sudo apt install -q -y autoconf automake libtool pkg-config \
+ libpam-dev gengetopt libz-dev libudev-dev
+ sudo apt install -q -y ${CC%-*}-tools-${CC#clang-}
+ - name: Fuzz
+ env:
+ CC: ${{ matrix.cc }}
+ SANITIZER: ${{ matrix.sanitizer }}
+ run: |
+ ./build-aux/ci/fuzz-linux-${SANITIZER}.sh
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/macos_builds.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/macos_builds.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,20 @@
+name: macos
+
+on: [push, pull_request]
+
+jobs:
+ build:
+ runs-on: ${{ matrix.os }}
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ macos-10.15 ]
+ cc: [ clang ]
+ steps:
+ - uses: actions/checkout@v2
+ - name: dependencies
+ run: brew install check cmake gengetopt help2man mandoc openssl@1.1 pkg-config automake
+ - name: build
+ env:
+ CC: ${{ matrix.cc }}
+ run: ./build-aux/ci/build-osx.sh
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/.github/workflows/scan.yml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/pam-u2f/dist/.github/workflows/scan.yml Fri Sep 24 12:51:20 2021 +0000
@@ -0,0 +1,39 @@
+name: static code analysis
+# Documentation: https://github.com/Yubico/yes-static-code-analysis
+
+on:
+ push:
+ schedule:
+ - cron: '0 0 * * 1'
+
+env:
+ SCAN_IMG:
+ yubico-yes-docker-local.jfrog.io/static-code-analysis/c:v1
+ COMPILE_DEPS: "libfido2-dev xsltproc"
+ SECRET: ${{ secrets.ARTIFACTORY_READER_TOKEN }}
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@master
+
+ - name: Scan and fail on warnings
+ run: |
+ if [ "${SECRET}" != "" ]; then
+ docker login yubico-yes-docker-local.jfrog.io/ \
+ -u svc-static-code-analysis-reader -p ${SECRET}
+ docker pull ${SCAN_IMG}
+ docker run -v${PWD}:/k -e COMPILE_DEPS="${COMPILE_DEPS}" \
+ -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} \
+ -e PVS_IGNORE_WARNINGS=${PVS_IGNORE_WARNINGS} -t ${SCAN_IMG}
+ else
+ echo "No docker registry credentials, not scanning"
+ fi
+
+ - uses: actions/upload-artifact@master
+ if: failure()
+ with:
+ name: suppression_files
+ path: suppression_files
diff -r 82a3d4ee0868 -r 6f747a1f64d1 external/bsd/pam-u2f/dist/Makefile.am
--- a/external/bsd/pam-u2f/dist/Makefile.am Fri Sep 24 12:43:28 2021 +0000
+++ b/external/bsd/pam-u2f/dist/Makefile.am Fri Sep 24 12:51:20 2021 +0000
@@ -2,18 +2,24 @@
SUBDIRS = . pamu2fcfg tests
+if ENABLE_FUZZING
+SUBDIRS += fuzz
+endif
+
ACLOCAL_AMFLAGS = -I m4
-AM_CFLAGS = $(CWFLAGS)
+AM_CFLAGS = $(CWFLAGS) $(CSFLAGS)
AM_CPPFLAGS = $(LIBFIDO2_CFLAGS) $(LIBCRYPTO_CFLAGS)
+if ENABLE_FUZZING
+AM_CPPFLAGS += -fsanitize=fuzzer-no-link
+endif
-libdir = $(PAMDIR)
Home |
Main Index |
Thread Index |
Old Index