Merge branch 'main' into issue-302-log-key-handle

.github/workflows/alpine_builds.yml

@@ -4,7 +4,7 @@ on: [push, pull_request]
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     container: alpine:latest
     strategy:
       fail-fast: false

.github/workflows/codeql-analysis.yml

@@ -20,7 +20,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
 
     - name: Build project
       run: |
@@ -34,4 +34,4 @@ jobs:
         make
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/format.yml

@@ -4,7 +4,7 @@ on: [push, pull_request]
 
 jobs:
   format:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       CLANG_FORMAT_VERSION: -15
     steps:

.github/workflows/linux_builds.yml

@@ -9,6 +9,8 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - { os: ubuntu-24.04, cc: gcc-13 }
+          - { os: ubuntu-24.04, cc: clang-18 }
           - { os: ubuntu-22.04, cc: gcc-12 }
           - { os: ubuntu-22.04, cc: clang-15 }
           - { os: ubuntu-20.04, cc: gcc-10 }

.github/workflows/linux_fuzz.yml

@@ -8,8 +8,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04]
-        cc: [clang-15]
+        os: [ubuntu-24.04]
+        cc: [clang-18]
         sanitizer: [asan]
     steps:
     - uses: actions/checkout@v4

.github/workflows/macos_builds.yml

@@ -8,12 +8,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ macos-11, macos-12, macos-13 ]
+        os: [ macos-13, macos-14, macos-15 ]
         cc: [ clang ]
     steps:
     - uses: actions/checkout@v4
     - name: dependencies
-      run: brew install check cmake help2man libfido2 mandoc pkg-config automake
+      run: brew install check cmake help2man libfido2 mandoc libtool automake
     - name: build
       env:
         CC: ${{ matrix.cc }}

.gitignore

@@ -1,10 +1,10 @@
 *.bak
+*.cred
 *.l[ao]
 *.log
 *.o
 *.trs
 *~
-*.cred
 .deps
 .dirstamp
 .libs
@@ -14,7 +14,6 @@ Makefile
 Makefile.in
 aclocal.m4
 autom4te.cache/
-build/
 build-aux/ar-lib
 build-aux/compile
 build-aux/config.guess
@@ -24,21 +23,24 @@ build-aux/install-sh
 build-aux/ltmain.sh
 build-aux/missing
 build-aux/test-driver
+build/
 config.log
 config.status
 configure
+fuzz/fuzz_format_parsers
 libtool
 m4/libtool.m4
 m4/ltoptions.m4
 m4/ltsugar.m4
 m4/ltversion.m4
 m4/lt~obsolete.m4
-tests/.deps/
-tests/dlsym_check
 man/pam_u2f.8
+man/pamu2fcfg.1
 pamu2fcfg/cmdline.c
 pamu2fcfg/cmdline.h
 pamu2fcfg/pamu2fcfg
-man/pamu2fcfg.1
+tests/.deps/
+tests/cfg
+tests/dlsym_check
+tests/expand
 tests/get_devices
-fuzz/fuzz_format_parsers

Makefile.am

@@ -17,6 +17,7 @@ AM_CPPFLAGS = $(LIBFIDO2_CFLAGS) $(LIBCRYPTO_CFLAGS)
 if ENABLE_FUZZING
 AM_CPPFLAGS += -fsanitize=fuzzer-no-link
 endif
+AM_CPPFLAGS += -D SCONFDIR='"@SCONFDIR@"'
 
 noinst_LTLIBRARIES = libmodule.la
 libmodule_la_SOURCES = pam-u2f.c
@@ -26,6 +27,7 @@ libmodule_la_SOURCES += drop_privs.h
 libmodule_la_SOURCES += expand.c
 libmodule_la_SOURCES += explicit_bzero.c
 libmodule_la_SOURCES += util.c util.h
+libmodule_la_SOURCES += cfg.c cfg.h
 libmodule_la_LIBADD = -lpam $(LIBFIDO2_LIBS) $(LIBCRYPTO_LIBS)
 
 pampluginexecdir = $(PAMDIR)
@@ -44,6 +46,7 @@ pam_u2f_la_LDFLAGS += -Wl,--wrap=strdup
 pam_u2f_la_LDFLAGS += -Wl,--wrap=calloc
 pam_u2f_la_LDFLAGS += -Wl,--wrap=malloc
 pam_u2f_la_LDFLAGS += -Wl,--wrap=open
+pam_u2f_la_LDFLAGS += -Wl,--wrap=openat
 pam_u2f_la_LDFLAGS += -Wl,--wrap=close
 pam_u2f_la_LDFLAGS += -Wl,--wrap=fdopen
 pam_u2f_la_LDFLAGS += -Wl,--wrap=fstat

NEWS

@@ -1,8 +1,21 @@
-Copyright (c) 2014-2023 Yubico AB - See COPYING
+Copyright (c) 2014-2025 Yubico AB - See COPYING
 
 pam-u2f NEWS -- History of user-visible changes.          -*- outline -*-
 
-* Version 1.3.1 (unreleased)
+* Version 1.3.3 (unreleased)
+
+* Version 1.3.2 (released 2025-01-16)
+** Relax authfile permission check to a warning instead of an error to
+prevent a breaking change locking existing users out of their systems.
+
+* Version 1.3.1 (released 2025-01-14)
+** Fix incorrect usage of PAM_IGNORE (YSA-2025-01, CVE-2025-23013).
+** Changed return value when nouserok is enabled and the user has no
+credentials, PAM_IGNORE is used instead of PAM_SUCCESS.
+** Hardened checks of authfile permissions.
+** Hardened checks for nouserok.
+** Improved debug messages.
+** Improved documentation.
 
 * Version 1.3.0 (released 2023-03-14)
 ** Add sanity checking of UV options to pamu2fcfg.

README

@@ -108,6 +108,7 @@ recommended that you start a separate shell with root privileges while
 configuring PAM to be able to revert changes if something goes wrong.
 Test your configuration thoroughly before closing the root shell.
 
+[[moduleArguments]]
 === Module Arguments
 
 [horizontal]
@@ -161,9 +162,9 @@ disable this functionality, like so: `authpending_file=`. Default value:
 /var/run/user/$UID/pam-u2f-authpending
 
 nouserok::
-Set to enable authentication attempts to succeed even if the user
-trying to authenticate is not found inside `authfile` or if `authfile`
-is missing/malformed.
+Set to make authentication attempts not fail if the user trying to
+authenticate is not found inside `authfile`, is found but has no
+credentials, or if the `authfile` is missing.
 
 openasuser::
 Setuid to the authenticating user when opening the authfile. Useful
@@ -240,6 +241,14 @@ FIDO devices. It is not possible to mix native credentials and SSH
 credentials. Once this option is enabled all credentials will be parsed
 as SSH.
 
+conf=/path/to/pam_u2f.conf::
+Set an alternative location for the <<confFile,configuration file>>.
+The supplied path must be absolute and must correspond to an existing
+regular file.
+
+The options specified on the module command line override the values
+from the <<confFile,configuration file>>.
+
 IMPORTANT: On dynamic networks (e.g. where hostnames are set by DHCP),
 users should not rely on the default origin and appid
 ("pam://$HOSTNAME") but set those parameters explicitly to the same
@@ -404,6 +413,30 @@ defined in the authorization mapping file. If during an authentication attempt
 a connected device is removed or a new device is plugged in, the authentication
 restarts from the top of the list.
 
+[[confFile]]
+== Configuration file
+
+A configuration file can be used to set the default
+<<moduleArguments,module arguments>>.
+
+- The file has a `name = value` format, with comments starting with the `#`
+  character.
+
+- White spaces at the beginning of line, end of line, and around the `=` sign
+  are ignored.
+
+- Any `conf` argument in the configuration file is ignored.
+
+- The maximum size for the configuration file is 4 KiB.
+
+- The default path for the configuration file is `/etc/security/pam_u2f.conf`.
+  Note that it may have been set to another value by the distribution. The
+  default file is allowed to not exist. An alternative path may be set in the
+  module command line options.
+
+- The options specified on the module command line override the values from the
+  configuration file.
+
 == SELinux Note
 
 Due to an issue with Fedora Linux, and possibly with other

build-aux/ci/fuzz-linux-asan.sh

@@ -4,10 +4,10 @@ set -euxo pipefail
 CORPUS_URL="https://storage.googleapis.com/yubico-pam-u2f/corpus.tgz"
 
 LIBCBOR_URL="https://github.com/pjk/libcbor"
-LIBCBOR_TAG="v0.10.2"
+LIBCBOR_TAG="v0.11.0"
 LIBCBOR_CFLAGS="-fsanitize=address,alignment,bounds"
 LIBFIDO2_URL="https://github.com/Yubico/libfido2"
-LIBFIDO2_TAG="1.14.0"
+LIBFIDO2_TAG="1.15.0"
 LIBFIDO2_CFLAGS="-fsanitize=address,alignment,bounds"
 
 COMMON_CFLAGS="-g2 -fno-omit-frame-pointer"