Merge PR #142

Yubico · Mar 5, 2020 · 89412d9 · 89412d9
2 parents 9ddc575 + 781c31b
commit 89412d9
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 14 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,38 @@
+name: static code analysis
+# Documentation: https://github.com/Yubico/yes-static-code-analysis
+
+on:
+  push:
+  schedule:
+    - cron: '0 0 * * 1'
+
+env:
+  SCAN_IMG:
+    yes-docker-local.artifactory.in.yubico.org/static-code-analysis/c:v1
+  COMPILE_DEPS: "libfido2-dev"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Prep scan
+      run: |
+        docker login yes-docker-local.artifactory.in.yubico.org/ \
+             -u svc-static-code-analysis-reader \
+             -p ${{ secrets.ARTIFACTORY_READER_TOKEN }}
+        docker pull ${SCAN_IMG}
+
+    - name: Scan but do not fail on warnings
+      run: |
+        docker run -v${PWD}:/k -e COMPILE_DEPS="${COMPILE_DEPS}" \
+          -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} -t ${SCAN_IMG}
+      continue-on-error: true
+
+    - uses: actions/upload-artifact@master
+      if: failure()
+      with:
+        name: suppression_files
+        path: suppression_files
diff --git a/b64.c b/b64.c
@@ -75,7 +75,7 @@ int b64_decode(const char *in, void **ptr, size_t *len) {
   if (bio_b64 == NULL)
     goto fail;
 
-  bio_mem = BIO_new_mem_buf((void *) in, -1);
+  bio_mem = BIO_new_mem_buf((const void *) in, -1);
   if (bio_mem == NULL)
     goto fail;
 

diff --git a/drop_privs.h b/drop_privs.h
@@ -55,8 +55,10 @@ struct _ykpam_privs {
 
 #define PAM_MODUTIL_DEF_PRIVS(n)                                               \
   gid_t n##_saved_groups[SAVED_GROUPS_MAX_LEN];                                \
-  struct _ykpam_privs n = {-1, -1, n##_saved_groups, SAVED_GROUPS_MAX_LEN,     \
-                           cfg->debug_file}
+  struct _ykpam_privs n = {                                                    \
+    (uid_t) -1,           (gid_t) -1,      n##_saved_groups,                   \
+    SAVED_GROUPS_MAX_LEN, cfg->debug_file,                                     \
+  }
 
 int pam_modutil_drop_priv(pam_handle_t *, struct _ykpam_privs *,
                           struct passwd *);

diff --git a/pam-u2f.c b/pam-u2f.c
@@ -13,6 +13,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <syslog.h>
 #include <pwd.h>
@@ -168,10 +169,11 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
   int should_free_appid = 0;
   int should_free_auth_file = 0;
   int should_free_authpending_file = 0;
-  PAM_MODUTIL_DEF_PRIVS(privs);
 
   parse_cfg(flags, argc, argv, cfg);
 
+  PAM_MODUTIL_DEF_PRIVS(privs);
+
   if (!cfg->origin) {
     strcpy(buffer, DEFAULT_ORIGIN_PREFIX);
 
@@ -427,24 +429,24 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
     free(buf);
     buf = NULL;
   }
-
+#define free_const(a) free((void *) (uintptr_t)(a))
   if (should_free_origin) {
-    free((char *) cfg->origin);
+    free_const(cfg->origin);
     cfg->origin = NULL;
   }
 
   if (should_free_appid) {
-    free((char *) cfg->appid);
+    free_const(cfg->appid);
     cfg->appid = NULL;
   }
 
   if (should_free_auth_file) {
-    free((char *) cfg->auth_file);
+    free_const(cfg->auth_file);
     cfg->auth_file = NULL;
   }
 
   if (should_free_authpending_file) {
-    free((char *) cfg->authpending_file);
+    free_const(cfg->authpending_file);
     cfg->authpending_file = NULL;
   }
 
@@ -470,3 +472,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
 
   return PAM_SUCCESS;
 }
+
+#ifdef PAM_MODULE_ENTRY
+PAM_MODULE_ENTRY("pam_u2f");
+#endif
diff --git a/util.c b/util.c
@@ -236,7 +236,7 @@ int get_devices_from_authfile(const char *authfile, const char *username,
       *n_devs = 0;
 
       i = 0;
-      while ((s_token = strtok_r(NULL, ",", &saveptr))) {
+      while ((s_token = strtok_r(NULL, ",", &saveptr)) != NULL) {
         if ((*n_devs)++ > max_devs - 1) {
           *n_devs = max_devs;
           if (verbose)
@@ -730,7 +730,8 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
 
         if (pin_verification == FIDO_OPT_TRUE)
           pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
-        if (user_presence || user_verification) {
+        if (user_presence == FIDO_OPT_TRUE ||
+            user_verification == FIDO_OPT_TRUE) {
           if (cfg->manual == 0 && cfg->cue && !cued) {
             cued = 1;
             converse(pamh, PAM_TEXT_INFO,
@@ -1130,7 +1131,7 @@ static int _converse(pam_handle_t *pamh, int nargs,
 
 char *converse(pam_handle_t *pamh, int echocode, const char *prompt) {
   const struct pam_message msg = {.msg_style = echocode,
-                                  .msg = (char *) prompt};
+                                  .msg = (char *) (uintptr_t) prompt};
   const struct pam_message *msgs = &msg;
   struct pam_response *resp = NULL;
   int retval = _converse(pamh, 1, &msgs, &resp);
@@ -1162,7 +1163,7 @@ void _debug(FILE *debug_file, const char *file, int line, const char *func,
             const char *fmt, ...) {
   va_list ap;
   va_start(ap, fmt);
-#ifdef __linux__
+#ifdef LOG_DEBUG
   if (debug_file == (FILE *) -1) {
     syslog(LOG_AUTHPRIV | LOG_DEBUG, DEBUG_STR, file, line, func);
     vsyslog(LOG_AUTHPRIV | LOG_DEBUG, fmt, ap);

diff --git a/util.h b/util.h
@@ -25,7 +25,7 @@
 #if defined(DEBUG_PAM)
 #define D(file, ...) _debug(file, __FILE__, __LINE__, __func__, __VA_ARGS__)
 #else
-#define D(file, ...)
+#define D(file, ...) ((void) 0)
 #endif /* DEBUG_PAM */
 
 typedef struct {