From 7f3cf25977bca1d9663f5c279d0c514e5a96ba2b Mon Sep 17 00:00:00 2001 From: Marek Mahut Date: Fri, 21 Feb 2020 11:11:50 +0100 Subject: [PATCH 1/5] libfido2: linux build only (cherry picked from commit 852d2bcfd402d0076bbe7f6d1ed62ed6763c2a23) --- pkgs/development/libraries/libfido2/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libfido2/default.nix b/pkgs/development/libraries/libfido2/default.nix index a0f44a3322055..9736f0b153320 100644 --- a/pkgs/development/libraries/libfido2/default.nix +++ b/pkgs/development/libraries/libfido2/default.nix @@ -20,6 +20,6 @@ stdenv.mkDerivation rec { homepage = https://github.com/Yubico/libfido2; license = licenses.bsd2; maintainers = with maintainers; [ dtzWill ]; - + platforms = platforms.linux; }; } From f06ab62d84fcab849c260abc381f0b2102cecf05 Mon Sep 17 00:00:00 2001 From: Marek Mahut Date: Fri, 21 Feb 2020 13:53:27 +0100 Subject: [PATCH 2/5] libfido2: evaluate systemd only on Linux (cherry picked from commit 1ea0a243d2b5558dc4dc441d6775d12671d32b00) --- pkgs/development/libraries/libfido2/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libfido2/default.nix b/pkgs/development/libraries/libfido2/default.nix index 9736f0b153320..32d19283974c4 100644 --- a/pkgs/development/libraries/libfido2/default.nix +++ b/pkgs/development/libraries/libfido2/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ cmake pkgconfig ]; - buildInputs = [ libcbor libressl udev ]; + buildInputs = [ libcbor libressl ] ++ stdenv.lib.optionals stdenv.isLinux [ udev ]; cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d" ]; From 9ea34a5bb87741b18ee71ddfd7f045c68bb883c2 Mon Sep 17 00:00:00 2001 From: Artemis Tosini Date: Sun, 23 Feb 2020 15:59:41 +0000 Subject: [PATCH 3/5] libfido2: add macOS support * pass IOKit to libfido2 * Add a patch so that cmake uses lld flags when linking * Upgrade from 1.3.0 to 1.3.1 (based off #80781) * Specify CMAKE_INSTALL_LIBDIR so that the demo binaries link correctly on macOS and libfido2.pc specifies correct arguments (cherry picked from commit 099359afc72d34255b78cdcc6291b77b2e7ed2f9) --- pkgs/development/libraries/libfido2/default.nix | 17 +++++++++++------ .../libraries/libfido2/detect_apple_ld.patch | 11 +++++++++++ pkgs/top-level/all-packages.nix | 4 +++- 3 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 pkgs/development/libraries/libfido2/detect_apple_ld.patch diff --git a/pkgs/development/libraries/libfido2/default.nix b/pkgs/development/libraries/libfido2/default.nix index 32d19283974c4..01a73f4a13086 100644 --- a/pkgs/development/libraries/libfido2/default.nix +++ b/pkgs/development/libraries/libfido2/default.nix @@ -1,17 +1,22 @@ -{ stdenv, fetchurl, cmake, pkgconfig, libcbor, libressl, udev }: +{ stdenv, fetchurl, cmake, pkgconfig, libcbor, libressl, udev, IOKit }: stdenv.mkDerivation rec { pname = "libfido2"; - version = "1.3.0"; + version = "1.3.1"; src = fetchurl { url = "https://developers.yubico.com/${pname}/Releases/${pname}-${version}.tar.gz"; - sha256 = "1izyl3as9rn7zcxpsvgngjwr55gli5gy822ac3ajzm65qiqkcbhb"; + sha256 = "0hdgxbmjbnm9kjwc07nrl2zy87qclvb3rzvdwr5iw35n2qhf4dds"; }; nativeBuildInputs = [ cmake pkgconfig ]; - buildInputs = [ libcbor libressl ] ++ stdenv.lib.optionals stdenv.isLinux [ udev ]; + buildInputs = [ libcbor libressl ] + ++ stdenv.lib.optionals stdenv.isLinux [ udev ] + ++ stdenv.lib.optionals stdenv.isDarwin [ IOKit ]; - cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d" ]; + patches = [ ./detect_apple_ld.patch ]; + + cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d" + "-DCMAKE_INSTALL_LIBDIR=lib" ]; meta = with stdenv.lib; { description = '' @@ -20,6 +25,6 @@ stdenv.mkDerivation rec { homepage = https://github.com/Yubico/libfido2; license = licenses.bsd2; maintainers = with maintainers; [ dtzWill ]; - platforms = platforms.linux; + platforms = platforms.unix; }; } diff --git a/pkgs/development/libraries/libfido2/detect_apple_ld.patch b/pkgs/development/libraries/libfido2/detect_apple_ld.patch new file mode 100644 index 0000000000000..de972e0f35864 --- /dev/null +++ b/pkgs/development/libraries/libfido2/detect_apple_ld.patch @@ -0,0 +1,11 @@ +--- a/CMakeLists.txt 2020-02-19 17:21:59.000000000 +0000 ++++ b/CMakeLists.txt 2020-02-23 15:57:34.241115306 +0000 +@@ -296,7 +296,7 @@ + endif() + + # export list +-if(CMAKE_C_COMPILER_ID STREQUAL "AppleClang") ++if(APPLE AND CMAKE_C_COMPILER_ID STREQUAL "Clang" OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang") + # clang + lld + string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS} + " -exported_symbols_list ${CMAKE_CURRENT_SOURCE_DIR}/src/export.llvm") diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 7177286dac8cc..d0b00300a2b56 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12414,7 +12414,9 @@ in libfakekey = callPackage ../development/libraries/libfakekey { }; - libfido2 = callPackage ../development/libraries/libfido2 { }; + libfido2 = callPackage ../development/libraries/libfido2 { + inherit (darwin.apple_sdk.frameworks) IOKit; + }; libfilezilla = callPackage ../development/libraries/libfilezilla { }; From f93be3ed164464fbfa30bb6ef0474879f9d758b7 Mon Sep 17 00:00:00 2001 From: Pavol Rusnak Date: Sat, 15 Feb 2020 20:51:49 +0100 Subject: [PATCH 4/5] openssh: 8.1p1 -> 8.2p1 https://www.openssh.com/txt/release-8.2 add libfido2 to enable hardware tokens support added in this release (cherry picked from commit 44864b292f041d96696155daa78eda8bd03d796f) --- pkgs/tools/networking/openssh/default.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 90ecba0891d6c..2603200e0f3d7 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -4,6 +4,8 @@ , withKerberos ? true , withGssapiPatches ? false , kerberos +, libfido2 +, withFIDO ? stdenv.hostPlatform.isUnix , linkOpenssl? true }: @@ -12,15 +14,15 @@ let # **please** update this patch when you update to a new openssh release. gssapiPatch = fetchpatch { name = "openssh-gssapi.patch"; - url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%258.1p1-2/debian/patches/gssapi.patch"; - sha256 = "0zfxx46a5lpjp317z354yyswa2wvmb1pp5p0nxsbhsrzw94jvxsj"; + url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%258.2p1-1/debian/patches/gssapi.patch"; + sha256 = "081gryqkfr5zr4f5m4v0piq1sxz06sb38z5lqxccgpivql7pa8d8"; }; in with stdenv.lib; stdenv.mkDerivation rec { pname = "openssh"; - version = if hpnSupport then "7.8p1" else "8.1p1"; + version = if hpnSupport then "7.8p1" else "8.2p1"; src = if hpnSupport then fetchurl { @@ -30,7 +32,7 @@ stdenv.mkDerivation rec { else fetchurl { url = "mirror://openbsd/OpenSSH/portable/${pname}-${version}.tar.gz"; - sha256 = "1zwk3g57gb13br206k6jdhgnp6y1nibwswzraqspbl1m73pxpx82"; + sha256 = "0wg6ckzvvklbzznijxkk28fb8dnwyjd0w30ra0afwv6gwr8m34j3"; }; patches = @@ -61,6 +63,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig ] ++ optional (hpnSupport || withGssapiPatches) autoreconfHook; buildInputs = [ zlib openssl libedit pam ] + ++ optional withFIDO libfido2 ++ optional withKerberos kerberos; preConfigure = '' @@ -80,6 +83,7 @@ stdenv.mkDerivation rec { "--disable-strip" (if pam != null then "--with-pam" else "--without-pam") ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}" + ++ optional withFIDO "--with-security-key-builtin=yes" ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}") ++ optional stdenv.isDarwin "--disable-libutil" ++ optional (!linkOpenssl) "--without-openssl"; From 811013c1a2eeb874ddc895fe6bbf125ed02d58ec Mon Sep 17 00:00:00 2001 From: Pavol Rusnak Date: Sun, 16 Feb 2020 19:27:56 +0100 Subject: [PATCH 5/5] openssh_hpn: 7.8p1 -> 8.1p1 fix build failure (cherry picked from commit 205f42b1422feda79cf8205e87ff0cd786bc042e) --- pkgs/tools/networking/openssh/default.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 2603200e0f3d7..dd0151c89dac0 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -22,12 +22,12 @@ in with stdenv.lib; stdenv.mkDerivation rec { pname = "openssh"; - version = if hpnSupport then "7.8p1" else "8.2p1"; + version = if hpnSupport then "8.1p1" else "8.2p1"; src = if hpnSupport then fetchurl { - url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz"; - sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw"; + url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-8_1_P1.tar.gz"; + sha256 = "1xiv28df9c15h44fv1i93fq8rvkyapjj9vj985ndnw3xk1nvqjyd"; } else fetchurl { @@ -43,15 +43,7 @@ stdenv.mkDerivation rec { ./dont_create_privsep_path.patch ./ssh-keysign.patch - ] ++ optional hpnSupport - # CVE-2018-20685, can probably be dropped with next version bump - # See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt - # for details - (fetchpatch { - name = "CVE-2018-20685.patch"; - url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch; - sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds"; - }) + ] ++ optional withGssapiPatches (assert withKerberos; gssapiPatch); postPatch = @@ -112,6 +104,5 @@ stdenv.mkDerivation rec { license = stdenv.lib.licenses.bsd2; platforms = platforms.unix ++ platforms.windows; maintainers = with maintainers; [ eelco aneeshusa ]; - broken = hpnSupport; }; }