oath-toolkit: update to 2.6.7

Changes since 2.4.1:

Version 2.6.7 (released 2021-05-01)

    pam_oath: Support variables in usersfile string parameter.  the
usersfile string in the pam_oath configuration file.  The placeholder values
allow the user credentials file to be stored in a file path that is relative
to the user, and mimics similar behavior found in
google-authenticator-libpam.

The motivation for these changes is to allow for non-privileged processes to
use pam_oath (e.g., for 2FA with xscreensaver).  Non-privileged and non-suid
programs are unable to use pam_oath.  These changes are a proposed
alternative to a suid helper binary as well.

Thanks to Jason Graham for the patch.  See
https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12.

    doc: Fix project URL in man pages.  Thanks to Jason Graham
for the patch.  Fixes
https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/19.

    build: Drop use of libxml's AM_PATH_XML2 in favor of pkg-config.

    build: Modernize autotools usage.  Most importantly, no longer use
-Werror with AM_INIT_AUTOMAKE to make rebuilding from source more safe with
future automake versions.

    Updated gnulib files.

Version 2.6.6 (released 2021-01-20)

    oathtool: Handle HOTP --counter values larger than 0x7FFFFFFFFFFFFFFF.
Thanks to Jason Lai for report.

    doc: GTK-DOC manual improvements.

    Updated gnulib files.  Fixes test-parse-datetime self-check.  Fixes
https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/20.

Version 2.6.5 (released 2020-12-29)

    oathtool: Support for reading KEY and OTP from standard input or
filename.  KEY and OTP may now be given as - to mean stdin, or @file to read
from a particular file.  This is recommended on multi-user systems, since
secrets as command line parameters leak.  Based on a patch from Ian Jackson.
Fixes #6.

    pam_oath: Fix unlikely logic fail on out of memory conditions.  Patch
from Matthias Gerstner.

    Doc fixes.

Version 2.6.4 (released 2020-11-11)

    libpskc: New --with-xmlsec-crypto-engine to hard-code crypto engine.
Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/16.  Use it like
--with-xmlsec-crypto-engine=gnutls or --with-xmlsec-crypto-engine=openssl if
the default dynamic loading fails because of runtime linker search path
issues.

    oathtool --totp --verbose now prints TOTP hash mode.  Fixes
https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/4.

    oathtool: Hash names (e.g., SHA256) for --totp are now upper case.
Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/3.  Lower/mixed
case hash names are supported for compatibility.

    pam_oath: Fail gracefully for missing users.  Fixes
https://savannah.nongnu.org/support/index.php?109111.  This allows you to
incrementally add support for OATH authentication instead of forcing it on
all users.  See updated pam_oath/README on the [user_unknown=ignore
success=ok] parameter that can now be supplied to PAM configuration.  Patch
by Antoine Beaupra

    Fix libpskc memory corruption bug.  Fixes
https://savannah.nongnu.org/support/?108736.  Thanks to David Woodhouse and
Jaroslav A karvada for report, self check and patch.

    Fix man pages.  Fixes https://savannah.nongnu.org/support/?108312.
Thanks to Jaroslav A karvada for the patch.

    Build fixes.

Version 2.6.3 (released 2020-11-07)

    pam_oath: Fix self-tests.

    build: Update gnulib. Fix compiler warnings.

    Doc fixes.

Version 2.6.2 (released 2016-08-27)

    doc: Version controlled source code repository moved to GitLab.

Version 2.6.1 (released 2015-07-31)

    liboath: Fix make check on 32-bit systems.  Report and patch by
Christian Hesse.

Version 2.6.0 (released 2015-05-19)

    liboath: Support TOTP with HMAC-SHA256 and HMAC-SHA512.  This adds new
APIs oath_totp_generate2, oath_totp_validate4 and
oath_totp_validate4_callback.

    oathtool: The --totp parameter now take an optional argument to specify
MAC.  For example use --totp=sha256 to use HMAC-SHA256.  When --totp is used
the default HMAC-SHA1 is used, as before.

    pam_oath: Mention in README that you shouldn???t use insecure keys.
Suggested by Robin.

    pam_oath: Check return value from strdup.  Patch by Eero Hakkinen.

    The files gdoc and expect.oath are now included in the tarball.
Suggested by Jaroslav A karvada.

security/oath-toolkit/Makefile

@@ -1,11 +1,10 @@
-# $NetBSD: Makefile,v 1.23 2022/04/18 19:12:00 adam Exp $
+# $NetBSD: Makefile,v 1.24 2022/08/22 07:42:52 sborrill Exp $
 
-DISTNAME=	oath-toolkit-2.4.1
-PKGREVISION=	8
+DISTNAME=	oath-toolkit-2.6.7
 CATEGORIES=	security
 MASTER_SITES=	http://download.savannah.gnu.org/releases/oath-toolkit/
 
-MAINTAINER=	pettai@NetBSD.org
+MAINTAINER=	sborrill@NetBSD.org
 HOMEPAGE=	https://www.nongnu.org/oath-toolkit/
 COMMENT=	OATH (Open AuTHentication) Toolkit
 LICENSE=	gnu-lgpl-v2.1 AND gnu-gpl-v3
@@ -14,17 +13,18 @@ GNU_CONFIGURE=	yes
 USE_TOOLS+=	pkg-config
 USE_LIBTOOL=	yes
 
-USE_TOOLS+=	autoconf automake m4 autoreconf
+USE_TOOLS+=	autoconf automake m4 autoreconf perl
 
 BUILD_DEPENDS+=	automake>=1.14:../../devel/automake
 TOOL_DEPENDS+=	gtk-doc-[0-9]*:../../textproc/gtk-doc
 
 PKGCONFIG_OVERRIDE+=	liboath/liboath.pc.in
 
+.include "options.mk"
+
 pre-configure:
 	cd ${WRKSRC} && autoreconf -fi
 
 .include "../../textproc/libxml2/buildlink3.mk"
 .include "../../security/xmlsec1/buildlink3.mk"
-.include "../../mk/pam.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

security/oath-toolkit/PLIST

@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2014/09/23 19:39:50 joerg Exp $
+@comment $NetBSD: PLIST,v 1.6 2022/08/22 07:42:52 sborrill Exp $
 bin/oathtool
 bin/pskctool
 include/liboath/oath.h
@@ -14,7 +14,7 @@ lib/liboath.la
 lib/libpskc.la
 lib/pkgconfig/liboath.pc
 lib/pkgconfig/libpskc.pc
-lib/security/pam_oath.la
+${PLIST.pam}lib/security/pam_oath.la
 man/man1/oathtool.1
 man/man1/pskctool.1
 man/man3/oath_authenticate_usersfile.3
@@ -31,11 +31,14 @@ man/man3/oath_init.3
 man/man3/oath_strerror.3
 man/man3/oath_strerror_name.3
 man/man3/oath_totp_generate.3
+man/man3/oath_totp_generate2.3
 man/man3/oath_totp_validate.3
 man/man3/oath_totp_validate2.3
 man/man3/oath_totp_validate2_callback.3
 man/man3/oath_totp_validate3.3
 man/man3/oath_totp_validate3_callback.3
+man/man3/oath_totp_validate4.3
+man/man3/oath_totp_validate4_callback.3
 man/man3/oath_totp_validate_callback.3
 man/man3/pskc_add_keypackage.3
 man/man3/pskc_build_xml.3
@@ -150,25 +153,28 @@ share/gtk-doc/html/liboath/api-index-1-12-0.html
 share/gtk-doc/html/liboath/api-index-1-4-0.html
 share/gtk-doc/html/liboath/api-index-1-6-0.html
 share/gtk-doc/html/liboath/api-index-1-8-0.html
+share/gtk-doc/html/liboath/api-index-2-4-0.html
+share/gtk-doc/html/liboath/api-index-2-6-0.html
 share/gtk-doc/html/liboath/api-index-full.html
+share/gtk-doc/html/liboath/deprecated-api-index.html
 share/gtk-doc/html/liboath/home.png
 share/gtk-doc/html/liboath/index.html
-share/gtk-doc/html/liboath/index.sgml
 share/gtk-doc/html/liboath/intro.html
+share/gtk-doc/html/liboath/left-insensitive.png
 share/gtk-doc/html/liboath/left.png
-share/gtk-doc/html/liboath/liboath-oath.html
+share/gtk-doc/html/liboath/liboath-oath.h.html
 share/gtk-doc/html/liboath/liboath.devhelp2
+share/gtk-doc/html/liboath/right-insensitive.png
 share/gtk-doc/html/liboath/right.png
 share/gtk-doc/html/liboath/style.css
+share/gtk-doc/html/liboath/up-insensitive.png
 share/gtk-doc/html/liboath/up.png
 share/gtk-doc/html/libpskc/api-index-2-2-0.html
 share/gtk-doc/html/libpskc/api-index-full.html
-share/gtk-doc/html/libpskc/ch02s02.html
-share/gtk-doc/html/libpskc/ch02s03.html
-share/gtk-doc/html/libpskc/ch02s04.html
+share/gtk-doc/html/libpskc/deprecated-api-index.html
 share/gtk-doc/html/libpskc/home.png
 share/gtk-doc/html/libpskc/index.html
-share/gtk-doc/html/libpskc/index.sgml
+share/gtk-doc/html/libpskc/left-insensitive.png
 share/gtk-doc/html/libpskc/left.png
 share/gtk-doc/html/libpskc/libpskc-container.html
 share/gtk-doc/html/libpskc/libpskc-enums.html
@@ -182,11 +188,17 @@ share/gtk-doc/html/libpskc/pskc-reference.html
 share/gtk-doc/html/libpskc/pskc-tutorial-libpskc-create.html
 share/gtk-doc/html/libpskc/pskc-tutorial-libpskc-sign.html
 share/gtk-doc/html/libpskc/pskc-tutorial-libpskc-verify.html
+share/gtk-doc/html/libpskc/pskc-tutorial-library.html
+share/gtk-doc/html/libpskc/pskc-tutorial-pskctool-sign.html
+share/gtk-doc/html/libpskc/pskc-tutorial-pskctool-validate.html
+share/gtk-doc/html/libpskc/pskc-tutorial-pskctool-verify.html
 share/gtk-doc/html/libpskc/pskc-tutorial-pskctool.html
 share/gtk-doc/html/libpskc/pskc-tutorial-quickstart.html
 share/gtk-doc/html/libpskc/pskc-tutorial.html
+share/gtk-doc/html/libpskc/right-insensitive.png
 share/gtk-doc/html/libpskc/right.png
 share/gtk-doc/html/libpskc/style.css
+share/gtk-doc/html/libpskc/up-insensitive.png
 share/gtk-doc/html/libpskc/up.png
 share/xml/pskc/catalog-pskc.xml
 share/xml/pskc/pskc-schema.xsd

security/oath-toolkit/distinfo

@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.13 2021/10/26 11:17:21 nia Exp $
+$NetBSD: distinfo,v 1.14 2022/08/22 07:42:52 sborrill Exp $
 
-BLAKE2s (oath-toolkit-2.4.1.tar.gz) = 1c708e16554736cfe5d38e4b6ff4e2eda945c9bc72cfb889f0ce4aec6078c44d
-SHA512 (oath-toolkit-2.4.1.tar.gz) = 2a3440d5c97afef00dacd235d5471e8bf68086dfdb20234a894e7534d75670808fef444fe1062525800bc5ffe368898302e6cf250cd76b7238cd602d7d05e89b
-Size (oath-toolkit-2.4.1.tar.gz) = 4136649 bytes
-SHA1 (patch-liboath_gl_fflush.c) = d957eed6c3e653ee53bbcf0b95b0c032f092b07d
-SHA1 (patch-liboath_gl_fseeko.c) = bd67a1af8c01a2dbf849f8612cbb18470cb3b248
+BLAKE2s (oath-toolkit-2.6.7.tar.gz) = 60abf1cd8341cc5ed887aea4c58928bfcac3347ab43dd3704bd69cf5e9a7e5ec
+SHA512 (oath-toolkit-2.6.7.tar.gz) = 50edff75c8366887d69cf4740c4cc3bdfc3e43cbd4910ff40f735bca489f0953d7e5a21130f12782ac7a1f2fb00f0db313aff139085f23daba78a69bc7b2eb12
+Size (oath-toolkit-2.6.7.tar.gz) = 5625279 bytes
+SHA1 (patch-liboath_gl_fflush.c) = 65b10470b8ba45973d11e3bdf32b9511461f87dc
+SHA1 (patch-pam__oath_Makefile.in) = c3fd5dea44e6c604e77dbe81ff7b062dc12925bf
+SHA1 (patch-pam__oath_configure.ac) = 525c51b98d0fc444440aa77a9b821b4c820cca31
+SHA1 (patch-pam__oath_pam__modutil.c) = f60b9d7a71efd79425be7ca3257d1a37b3d806fb
+SHA1 (patch-pam__oath_pam__modutil.h) = fe361f7430cf8a26c74653b4dbc42c01825f90f2
+SHA1 (patch-pam__oath_pam__oath.c) = f138397e7f5593f248c3ff761449b968ce6d9129

security/oath-toolkit/options.mk

@@ -0,0 +1,16 @@
+# $NetBSD: options.mk,v 1.1 2022/08/22 07:42:52 sborrill Exp $
+
+PKG_OPTIONS_VAR=	PKG_OPTIONS.oath-toolkit
+PKG_SUPPORTED_OPTIONS+=	pam
+PKG_SUGGESTED_OPTIONS=	pam
+
+.include "../../mk/bsd.options.mk"
+
+PLIST_VARS+=	pam
+
+.if !empty(PKG_OPTIONS:Mpam)
+PLIST.pam=		yes
+.  include "../../mk/pam.buildlink3.mk"
+.else
+CONFIGURE_ARGS+=	--disable-pam
+.endif

security/oath-toolkit/patches/patch-liboath_gl_fflush.c

@@ -1,11 +1,13 @@
-$NetBSD: patch-liboath_gl_fflush.c,v 1.3 2013/03/16 20:52:38 pettai Exp $
+$NetBSD: patch-liboath_gl_fflush.c,v 1.4 2022/08/22 07:42:52 sborrill Exp $
 
---- liboath/gl/fflush.c.orig	2013-01-03 22:33:04.000000000 +0000
-+++ liboath/gl/fflush.c
-@@ -96,7 +96,7 @@ update_fpos_cache (FILE *fp _GL_UNUSED_P
-                    off_t pos _GL_UNUSED_PARAMETER)
+Fix build on NetBSD
+
+--- liboath/gl/fflush.c.orig	2021-01-20 12:13:56.000000000 +0000
++++ liboath/gl/fflush.c	2022-08-17 10:41:26.973082601 +0100
+@@ -101,7 +101,7 @@
  {
- #  if defined __sferror || defined __DragonFly__ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin */
+ #  if defined __sferror || defined __DragonFly__ || defined __ANDROID__
+   /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
 -#   if defined __CYGWIN__
 +#   if defined(__CYGWIN__) || defined(__NetBSD__)
    /* fp_->_offset is typed as an integer.  */

security/oath-toolkit/patches/patch-pam__oath_Makefile.in

@@ -0,0 +1,62 @@
+$NetBSD: patch-pam__oath_Makefile.in,v 1.1 2022/08/22 07:42:52 sborrill Exp $
+
+Use local fragment of libpam, from FreeBSD
+
+--- pam_oath/Makefile.in.orig	2022-02-01 11:49:49 UTC
++++ pam_oath/Makefile.in
+@@ -149,7 +149,7 @@ am__uninstall_files_from_dir = { \
+ am__installdirs = "$(DESTDIR)$(pammoddir)"
+ LTLIBRARIES = $(pammod_LTLIBRARIES)
+ pam_oath_la_DEPENDENCIES = ../liboath/liboath.la
+-am_pam_oath_la_OBJECTS = pam_oath.lo
++am_pam_oath_la_OBJECTS = pam_oath.lo pam_modutil.lo
+ pam_oath_la_OBJECTS = $(am_pam_oath_la_OBJECTS)
+ AM_V_lt = $(am__v_lt_@AM_V@)
+ am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+@@ -173,7 +173,8 @@ am__v_at_1 = 
+ DEFAULT_INCLUDES = -I.@am__isrc@
+ depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
+ am__maybe_remake_depfiles = depfiles
+-am__depfiles_remade = ./$(DEPDIR)/pam_oath.Plo
++am__depfiles_remade = ./$(DEPDIR)/pam_modutil.Plo \
++	./$(DEPDIR)/pam_oath.Plo
+ am__mv = mv -f
+ COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+@@ -414,7 +416,7 @@ AM_CPPFLAGS = -I$(builddir)/../liboath
+ EXTRA_DIST = README
+ pammoddir = $(PAMDIR)
+ pammod_LTLIBRARIES = pam_oath.la
+-pam_oath_la_SOURCES = pam_oath.c
++pam_oath_la_SOURCES = pam_oath.c pam_modutil.c pam_modutil.h
+ # XXX add -Wl,-x too?  PAM documentation suggests it.
+ pam_oath_la_LIBADD = ../liboath/liboath.la
+ pam_oath_la_LDFLAGS = -module -avoid-version
+@@ -516,6 +518,7 @@ mostlyclean-compile:
+ distclean-compile:
+ 	-rm -f *.tab.c
+
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil.Plo@am__quote@ # am--include-marker
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_oath.Plo@am__quote@ # am--include-marker
+
+ $(am__depfiles_remade):
+@@ -896,7 +904,8 @@ clean-am: clean-generic clean-libtool clean-pammodLTLI
+
+ distclean: distclean-recursive
+ 	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+-		-rm -f ./$(DEPDIR)/pam_oath.Plo
++		-rm -f ./$(DEPDIR)/pam_modutil.Plo
++	-rm -f ./$(DEPDIR)/pam_oath.Plo
+ 	-rm -f Makefile
+ distclean-am: clean-am distclean-compile distclean-generic \
+ 	distclean-hdr distclean-libtool distclean-tags
+@@ -944,7 +953,8 @@ installcheck-am:
+ maintainer-clean: maintainer-clean-recursive
+ 	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+ 	-rm -rf $(top_srcdir)/autom4te.cache
+-		-rm -f ./$(DEPDIR)/pam_oath.Plo
++		-rm -f ./$(DEPDIR)/pam_modutil.Plo
++	-rm -f ./$(DEPDIR)/pam_oath.Plo
+ 	-rm -f Makefile
+ maintainer-clean-am: distclean-am maintainer-clean-generic
+

security/oath-toolkit/patches/patch-pam__oath_configure.ac

@@ -0,0 +1,15 @@
+$NetBSD: patch-pam__oath_configure.ac,v 1.1 2022/08/22 07:42:52 sborrill Exp $
+
+Use local fragment of libpam, from FreeBSD
+
+--- pam_oath/configure.ac.orig	2022-08-17 14:42:32.924331123 +0000
++++ pam_oath/configure.ac	2022-08-17 14:43:19.893846965 +0000
+@@ -29,8 +29,6 @@
+
+ AC_CHECK_HEADERS([security/pam_appl.h], [],
+   [AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])])
+-AC_CHECK_HEADERS([security/pam_modutil.h], [],
+-  [AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])])
+ AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [],
+   [#include <security/pam_appl.h>])
+

security/oath-toolkit/patches/patch-pam__oath_pam__modutil.c

@@ -0,0 +1,89 @@
+$NetBSD: patch-pam__oath_pam__modutil.c,v 1.1 2022/08/22 07:42:52 sborrill Exp $
+
+Use local fragment of libpam, from FreeBSD
+
+--- pam_oath/pam_modutil.c.orig	2022-01-31 11:03:40 UTC
++++ pam_oath/pam_modutil.c
+@@ -0,0 +1,82 @@
++#include <config.h>
++
++#ifndef HAVE_SECURITY_PAM_MODUTIL_H
++
++#include "pam_modutil.h"
++
++#ifdef HAVE_SECURITY_PAM_APPL_H
++#include <security/pam_appl.h>
++#endif
++#ifdef HAVE_SECURITY_PAM_MODULES_H
++#include <security/pam_modules.h>
++#endif
++
++#include <errno.h>
++#include <pwd.h>
++#include <stddef.h>
++#include <stdlib.h>
++#include <unistd.h>
++
++#define PWD_INITIAL_LENGTH      0x400
++#define PWD_ABSURD_PWD_LENGTH   0x4000
++
++void _pam_modutil_cleanup(pam_handle_t *pamh, void *data, int error_status) {
++    if (data) {
++        (void) free(data);
++    }
++}
++
++struct passwd *pam_modutil_getpwnam(pam_handle_t *pamh, const char *user) {
++    void *buffer = NULL;
++    size_t length = PWD_INITIAL_LENGTH;
++    long sc_init_length = sysconf(_SC_GETPW_R_SIZE_MAX);
++
++    if (sc_init_length != -1 && sc_init_length < PWD_ABSURD_PWD_LENGTH) {
++        length = (size_t) sc_init_length;
++    }
++
++    do {
++        int status;
++        void *new_buffer;
++        struct passwd *result = NULL;
++
++        new_buffer = realloc(buffer, sizeof(struct passwd) + length);
++        if (new_buffer == NULL) {
++            // out of memory
++            if (buffer) {
++                free(buffer);
++            }
++            return NULL;
++        }
++        buffer = new_buffer;
++
++        status = getpwnam_r(user, buffer,
++                            sizeof(struct passwd) + (char *) buffer,
++                            length, &result);
++        if (!status && result) {
++            status = pam_set_data(pamh, "_pammodutil_getpwnam", result,
++                                  _pam_modutil_cleanup);
++            if (status == PAM_SUCCESS) {
++                return result;
++            }
++            // unable to set data item
++            free(buffer);
++            return NULL;
++        }
++        if (status != ERANGE) {
++            // no matching record found (if status == 0)
++            // or getpwnam_r encountered an error
++            free(buffer);
++            return NULL;
++        }
++
++        length <<= 1;
++    } while (length < PWD_ABSURD_PWD_LENGTH);
++
++    // exceeded maximum buffer size
++    free(buffer);
++    return NULL;
++}
++#else
++typedef int make_iso_compilers_happy;
++#endif  /* HAVE_SECURITY_PAM_MODUTIL_H */

security/oath-toolkit/patches/patch-pam__oath_pam__modutil.h

@@ -0,0 +1,24 @@
+$NetBSD: patch-pam__oath_pam__modutil.h,v 1.1 2022/08/22 07:42:52 sborrill Exp $
+
+Use local fragment of libpam, from FreeBSD
+
+--- pam_oath/pam_modutil.h.orig	2022-01-31 11:03:40 UTC
++++ pam_oath/pam_modutil.h
+@@ -0,0 +1,17 @@
++#ifndef PAM_MODUTIL_H
++#define PAM_MODUTIL_H
++
++#ifdef HAVE_SECURITY_PAM_MODUTIL_H
++#include <security/pam_modutil.h>
++#else
++
++#ifdef HAVE_SECURITY_PAM_MODULES_H
++#include <security/pam_modules.h>
++#endif
++
++#include <pwd.h>
++
++struct passwd *pam_modutil_getpwnam(pam_handle_t *pamh, const char *user);
++
++#endif
++#endif