diff --git a/pkgs/development/libraries/libfido2/default.nix b/pkgs/development/libraries/libfido2/default.nix index a0f44a3322055..01a73f4a13086 100644 --- a/pkgs/development/libraries/libfido2/default.nix +++ b/pkgs/development/libraries/libfido2/default.nix @@ -1,17 +1,22 @@ -{ stdenv, fetchurl, cmake, pkgconfig, libcbor, libressl, udev }: +{ stdenv, fetchurl, cmake, pkgconfig, libcbor, libressl, udev, IOKit }: stdenv.mkDerivation rec { pname = "libfido2"; - version = "1.3.0"; + version = "1.3.1"; src = fetchurl { url = "https://developers.yubico.com/${pname}/Releases/${pname}-${version}.tar.gz"; - sha256 = "1izyl3as9rn7zcxpsvgngjwr55gli5gy822ac3ajzm65qiqkcbhb"; + sha256 = "0hdgxbmjbnm9kjwc07nrl2zy87qclvb3rzvdwr5iw35n2qhf4dds"; }; nativeBuildInputs = [ cmake pkgconfig ]; - buildInputs = [ libcbor libressl udev ]; + buildInputs = [ libcbor libressl ] + ++ stdenv.lib.optionals stdenv.isLinux [ udev ] + ++ stdenv.lib.optionals stdenv.isDarwin [ IOKit ]; - cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d" ]; + patches = [ ./detect_apple_ld.patch ]; + + cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d" + "-DCMAKE_INSTALL_LIBDIR=lib" ]; meta = with stdenv.lib; { description = '' @@ -20,6 +25,6 @@ stdenv.mkDerivation rec { homepage = https://github.com/Yubico/libfido2; license = licenses.bsd2; maintainers = with maintainers; [ dtzWill ]; - + platforms = platforms.unix; }; } diff --git a/pkgs/development/libraries/libfido2/detect_apple_ld.patch b/pkgs/development/libraries/libfido2/detect_apple_ld.patch new file mode 100644 index 0000000000000..de972e0f35864 --- /dev/null +++ b/pkgs/development/libraries/libfido2/detect_apple_ld.patch @@ -0,0 +1,11 @@ +--- a/CMakeLists.txt 2020-02-19 17:21:59.000000000 +0000 ++++ b/CMakeLists.txt 2020-02-23 15:57:34.241115306 +0000 +@@ -296,7 +296,7 @@ + endif() + + # export list +-if(CMAKE_C_COMPILER_ID STREQUAL "AppleClang") ++if(APPLE AND CMAKE_C_COMPILER_ID STREQUAL "Clang" OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang") + # clang + lld + string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS} + " -exported_symbols_list ${CMAKE_CURRENT_SOURCE_DIR}/src/export.llvm") diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 90ecba0891d6c..dd0151c89dac0 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -4,6 +4,8 @@ , withKerberos ? true , withGssapiPatches ? false , kerberos +, libfido2 +, withFIDO ? stdenv.hostPlatform.isUnix , linkOpenssl? true }: @@ -12,25 +14,25 @@ let # **please** update this patch when you update to a new openssh release. gssapiPatch = fetchpatch { name = "openssh-gssapi.patch"; - url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%258.1p1-2/debian/patches/gssapi.patch"; - sha256 = "0zfxx46a5lpjp317z354yyswa2wvmb1pp5p0nxsbhsrzw94jvxsj"; + url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%258.2p1-1/debian/patches/gssapi.patch"; + sha256 = "081gryqkfr5zr4f5m4v0piq1sxz06sb38z5lqxccgpivql7pa8d8"; }; in with stdenv.lib; stdenv.mkDerivation rec { pname = "openssh"; - version = if hpnSupport then "7.8p1" else "8.1p1"; + version = if hpnSupport then "8.1p1" else "8.2p1"; src = if hpnSupport then fetchurl { - url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz"; - sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw"; + url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-8_1_P1.tar.gz"; + sha256 = "1xiv28df9c15h44fv1i93fq8rvkyapjj9vj985ndnw3xk1nvqjyd"; } else fetchurl { url = "mirror://openbsd/OpenSSH/portable/${pname}-${version}.tar.gz"; - sha256 = "1zwk3g57gb13br206k6jdhgnp6y1nibwswzraqspbl1m73pxpx82"; + sha256 = "0wg6ckzvvklbzznijxkk28fb8dnwyjd0w30ra0afwv6gwr8m34j3"; }; patches = @@ -41,15 +43,7 @@ stdenv.mkDerivation rec { ./dont_create_privsep_path.patch ./ssh-keysign.patch - ] ++ optional hpnSupport - # CVE-2018-20685, can probably be dropped with next version bump - # See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt - # for details - (fetchpatch { - name = "CVE-2018-20685.patch"; - url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch; - sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds"; - }) + ] ++ optional withGssapiPatches (assert withKerberos; gssapiPatch); postPatch = @@ -61,6 +55,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig ] ++ optional (hpnSupport || withGssapiPatches) autoreconfHook; buildInputs = [ zlib openssl libedit pam ] + ++ optional withFIDO libfido2 ++ optional withKerberos kerberos; preConfigure = '' @@ -80,6 +75,7 @@ stdenv.mkDerivation rec { "--disable-strip" (if pam != null then "--with-pam" else "--without-pam") ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}" + ++ optional withFIDO "--with-security-key-builtin=yes" ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}") ++ optional stdenv.isDarwin "--disable-libutil" ++ optional (!linkOpenssl) "--without-openssl"; @@ -108,6 +104,5 @@ stdenv.mkDerivation rec { license = stdenv.lib.licenses.bsd2; platforms = platforms.unix ++ platforms.windows; maintainers = with maintainers; [ eelco aneeshusa ]; - broken = hpnSupport; }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 7177286dac8cc..d0b00300a2b56 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12414,7 +12414,9 @@ in libfakekey = callPackage ../development/libraries/libfakekey { }; - libfido2 = callPackage ../development/libraries/libfido2 { }; + libfido2 = callPackage ../development/libraries/libfido2 { + inherit (darwin.apple_sdk.frameworks) IOKit; + }; libfilezilla = callPackage ../development/libraries/libfilezilla { };