From 069caee57f5a6e263eacb45f6f1fab5577a7b7e1 Mon Sep 17 00:00:00 2001
From: "Thomas M. DuBuisson" <tdubuisson@paxos.com>
Date: Mon, 9 Oct 2023 15:22:06 -0700
Subject: [PATCH 1/6] Unconditionally log public key on success

---
 util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/util.c b/util.c
index f3ea20f..bd4b40e 100644
--- a/util.c
+++ b/util.c
@@ -20,6 +20,8 @@
 #include <unistd.h>
 #include <string.h>
 #include <arpa/inet.h>
+#include <syslog.h>
+#include <security/pam_ext.h>
 
 #include "b64.h"
 #include "debug.h"
@@ -1254,6 +1256,7 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
           }
           r = fido_assert_verify(assert, 0, pk.type, pk.ptr);
           if (r == FIDO_OK) {
+            pam_syslog(pamh, LOG_INFO, "Successful FIDO authentication with publicKey %s (idx %u)", devices[i].publicKey, i);
             retval = 1;
             goto out;
           }

From b51878d146f63c287998f50a494171e415680ecc Mon Sep 17 00:00:00 2001
From: "Thomas M. DuBuisson" <tdubuisson@paxos.com>
Date: Tue, 10 Oct 2023 13:28:20 -0700
Subject: [PATCH 2/6] fmt

---
 util.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/util.c b/util.c
index bd4b40e..17a7111 100644
--- a/util.c
+++ b/util.c
@@ -1256,7 +1256,10 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
           }
           r = fido_assert_verify(assert, 0, pk.type, pk.ptr);
           if (r == FIDO_OK) {
-            pam_syslog(pamh, LOG_INFO, "Successful FIDO authentication with publicKey %s (idx %u)", devices[i].publicKey, i);
+            pam_syslog(pamh, LOG_INFO,
+                      "Successful FIDO authentication with publicKey %s (idx "
+                      "%u)",
+                      devices[i].publicKey, i);
             retval = 1;
             goto out;
           }

From 5a50b562c3c1f32eddf12f4659598a0c1aa4e96f Mon Sep 17 00:00:00 2001
From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
Date: Fri, 16 Jun 2023 15:04:05 +0200
Subject: [PATCH 3/6] ci: install libfido2 from brew on osx

`brew` has for some time packaged libfido2. We can use those builds to
simplify our pipeline. Ensure linking to the same OpenSSL version as
libfido2 through `brew deps`.
---
 .github/workflows/macos_builds.yml |  2 +-
 build-aux/ci/build-osx.sh          | 36 ++++++++----------------------
 2 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/macos_builds.yml b/.github/workflows/macos_builds.yml
index 4be3d8c..515791b 100644
--- a/.github/workflows/macos_builds.yml
+++ b/.github/workflows/macos_builds.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: dependencies
-      run: brew install check cmake help2man mandoc openssl@1.1 pkg-config automake
+      run: brew install check cmake help2man libfido2 mandoc pkg-config automake
     - name: build
       env:
         CC: ${{ matrix.cc }}
diff --git a/build-aux/ci/build-osx.sh b/build-aux/ci/build-osx.sh
index 3d1d824..e637acd 100755
--- a/build-aux/ci/build-osx.sh
+++ b/build-aux/ci/build-osx.sh
@@ -1,30 +1,12 @@
 #!/usr/bin/env bash
 set -ex
 
-BUILDROOT="$(git rev-parse --show-toplevel)"
-
-pushd "/tmp" &>/dev/null
-  # Build and install libcbor
-  git clone https://github.com/pjk/libcbor
-  pushd "/tmp/libcbor" &>/dev/null
-    git checkout v0.5.0
-    cmake -Bbuild -H.
-    cmake --build build -- --jobs=2 VERBOSE=1
-    sudo make -j $(sysctl -n hw.logicalcpu) -C build install
-  popd &>/dev/null
-
-  # Build and install libfido2
-  export PKG_CONFIG_PATH=/usr/local/opt/openssl@1.1/lib/pkgconfig
-  git clone https://github.com/Yubico/libfido2
-  pushd "/tmp/libfido2" &>/dev/null
-    cmake -Bbuild -H.
-    cmake --build build -- --jobs=2 VERBOSE=1
-    sudo make -j $(sysctl -n hw.logicalcpu) -C build install
-  popd &>/dev/null
-popd &>/dev/null
-
-pushd "$BUILDROOT" &>/dev/null
-  ./autogen.sh
-  ./configure --disable-silent-rules --disable-man
-  make -j $(sysctl -n hw.logicalcpu)
-popd &>/dev/null
+# Link to same OpenSSL version as libfido2.
+OPENSSL="$(brew deps --installed libfido2 | grep openssl)"
+LIBFIDO2_PKGCONF="$(brew --prefix libfido2)/lib/pkgconfig"
+OPENSSL_PKGCONF="$(brew --prefix "${OPENSSL}")/lib/pkgconfig"
+export PKG_CONFIG_PATH="${LIBFIDO2_PKGCONF}:${OPENSSL_PKGCONF}"
+
+./autogen.sh
+./configure --disable-silent-rules --disable-man
+make -j $(sysctl -n hw.logicalcpu)

From daf400ece9ae03474d5b923af01e5c855a2dfafe Mon Sep 17 00:00:00 2001
From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
Date: Fri, 16 Jun 2023 15:20:52 +0200
Subject: [PATCH 4/6] ci: also run regression tests on macos

---
 build-aux/ci/build-osx.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build-aux/ci/build-osx.sh b/build-aux/ci/build-osx.sh
index e637acd..a37a72e 100755
--- a/build-aux/ci/build-osx.sh
+++ b/build-aux/ci/build-osx.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -ex
 
-# Link to same OpenSSL version as libfido2.
+# Link to the same OpenSSL version as libfido2.
 OPENSSL="$(brew deps --installed libfido2 | grep openssl)"
 LIBFIDO2_PKGCONF="$(brew --prefix libfido2)/lib/pkgconfig"
 OPENSSL_PKGCONF="$(brew --prefix "${OPENSSL}")/lib/pkgconfig"
@@ -10,3 +10,4 @@ export PKG_CONFIG_PATH="${LIBFIDO2_PKGCONF}:${OPENSSL_PKGCONF}"
 ./autogen.sh
 ./configure --disable-silent-rules --disable-man
 make -j $(sysctl -n hw.logicalcpu)
+make check

From c795f770e4a6fe31b6f5498731827c2e7101eea8 Mon Sep 17 00:00:00 2001
From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
Date: Wed, 11 Oct 2023 09:31:32 +0200
Subject: [PATCH 5/6] ci: fix codeql workflow

---
 .github/workflows/codeql-analysis.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b19b871..6014aca 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 8 * * 6'
 
+permissions:
+  security-events: write
+
 jobs:
   CodeQL-Build:
 

From 67f93cbee4af0809ff93ca8f2b38ddb95b3948c9 Mon Sep 17 00:00:00 2001
From: "Thomas M. DuBuisson" <tdubuisson@paxos.com>
Date: Wed, 27 Mar 2024 19:35:18 +0000
Subject: [PATCH 6/6] Use syslog

---
 util.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/util.c b/util.c
index 17a7111..f2a0cc4 100644
--- a/util.c
+++ b/util.c
@@ -1256,10 +1256,9 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
           }
           r = fido_assert_verify(assert, 0, pk.type, pk.ptr);
           if (r == FIDO_OK) {
-            pam_syslog(pamh, LOG_INFO,
-                      "Successful FIDO authentication with publicKey %s (idx "
-                      "%u)",
-                      devices[i].publicKey, i);
+            syslog(LOG_AUTHPRIV | LOG_INFO,
+                   "Successful FIDO authentication with publicKey %s (idx %u)",
+                   devices[i].publicKey, i);
             retval = 1;
             goto out;
           }