[20.03] openssh: 8.1p1 -> 8.2p1

pkgs/development/libraries/libfido2/default.nix

@@ -1,17 +1,22 @@
-{ stdenv, fetchurl, cmake, pkgconfig, libcbor, libressl, udev }:
+{ stdenv, fetchurl, cmake, pkgconfig, libcbor, libressl, udev, IOKit }:
 
 stdenv.mkDerivation rec {
   pname = "libfido2";
-  version = "1.3.0";
+  version = "1.3.1";
   src = fetchurl {
     url = "https://developers.yubico.com/${pname}/Releases/${pname}-${version}.tar.gz";
-    sha256 = "1izyl3as9rn7zcxpsvgngjwr55gli5gy822ac3ajzm65qiqkcbhb";
+    sha256 = "0hdgxbmjbnm9kjwc07nrl2zy87qclvb3rzvdwr5iw35n2qhf4dds";
   };
 
   nativeBuildInputs = [ cmake pkgconfig ];
-  buildInputs = [ libcbor libressl udev ];
+  buildInputs = [ libcbor libressl ]
+    ++ stdenv.lib.optionals stdenv.isLinux [ udev ]
+    ++ stdenv.lib.optionals stdenv.isDarwin [ IOKit ];
 
-  cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d" ];
+  patches = [ ./detect_apple_ld.patch ];
+
+  cmakeFlags = [ "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d"
+                 "-DCMAKE_INSTALL_LIBDIR=lib" ];
 
   meta = with stdenv.lib; {
     description = ''
@@ -20,6 +25,6 @@ stdenv.mkDerivation rec {
     homepage = https://github.com/Yubico/libfido2;
     license = licenses.bsd2;
     maintainers = with maintainers; [ dtzWill ];
-
+    platforms = platforms.unix;
   };
 }

pkgs/development/libraries/libfido2/detect_apple_ld.patch

@@ -0,0 +1,11 @@
+--- a/CMakeLists.txt	2020-02-19 17:21:59.000000000 +0000
++++ b/CMakeLists.txt	2020-02-23 15:57:34.241115306 +0000
+@@ -296,7 +296,7 @@
+ endif()
+
+ # export list
+-if(CMAKE_C_COMPILER_ID STREQUAL "AppleClang")
++if(APPLE AND CMAKE_C_COMPILER_ID STREQUAL "Clang" OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang")	
+ 	# clang + lld
+ 	string(CONCAT CMAKE_SHARED_LINKER_FLAGS ${CMAKE_SHARED_LINKER_FLAGS}
+ 	    " -exported_symbols_list ${CMAKE_CURRENT_SOURCE_DIR}/src/export.llvm")

pkgs/tools/networking/openssh/default.nix

@@ -4,6 +4,8 @@
 , withKerberos ? true
 , withGssapiPatches ? false
 , kerberos
+, libfido2
+, withFIDO ? stdenv.hostPlatform.isUnix
 , linkOpenssl? true
 }:
 
@@ -12,25 +14,25 @@ let
   # **please** update this patch when you update to a new openssh release.
   gssapiPatch = fetchpatch {
     name = "openssh-gssapi.patch";
-    url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%258.1p1-2/debian/patches/gssapi.patch";
-    sha256 = "0zfxx46a5lpjp317z354yyswa2wvmb1pp5p0nxsbhsrzw94jvxsj";
+    url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%258.2p1-1/debian/patches/gssapi.patch";
+    sha256 = "081gryqkfr5zr4f5m4v0piq1sxz06sb38z5lqxccgpivql7pa8d8";
   };
 
 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
   pname = "openssh";
-  version = if hpnSupport then "7.8p1" else "8.1p1";
+  version = if hpnSupport then "8.1p1" else "8.2p1";
 
   src = if hpnSupport then
       fetchurl {
-        url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz";
-        sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw";
+        url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-8_1_P1.tar.gz";
+        sha256 = "1xiv28df9c15h44fv1i93fq8rvkyapjj9vj985ndnw3xk1nvqjyd";
       }
     else
       fetchurl {
         url = "mirror://openbsd/OpenSSH/portable/${pname}-${version}.tar.gz";
-        sha256 = "1zwk3g57gb13br206k6jdhgnp6y1nibwswzraqspbl1m73pxpx82";
+        sha256 = "0wg6ckzvvklbzznijxkk28fb8dnwyjd0w30ra0afwv6gwr8m34j3";
       };
 
   patches =
@@ -41,15 +43,7 @@ stdenv.mkDerivation rec {
       ./dont_create_privsep_path.patch
 
       ./ssh-keysign.patch
-    ] ++ optional hpnSupport
-      # CVE-2018-20685, can probably be dropped with next version bump
-      # See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
-      # for details
-      (fetchpatch {
-        name = "CVE-2018-20685.patch";
-        url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch;
-        sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds";
-      })
+    ]
     ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
 
   postPatch =
@@ -61,6 +55,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkgconfig ] ++ optional (hpnSupport || withGssapiPatches) autoreconfHook;
   buildInputs = [ zlib openssl libedit pam ]
+    ++ optional withFIDO libfido2
     ++ optional withKerberos kerberos;
 
   preConfigure = ''
@@ -80,6 +75,7 @@ stdenv.mkDerivation rec {
     "--disable-strip"
     (if pam != null then "--with-pam" else "--without-pam")
   ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
+    ++ optional withFIDO "--with-security-key-builtin=yes"
     ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}")
     ++ optional stdenv.isDarwin "--disable-libutil"
     ++ optional (!linkOpenssl) "--without-openssl";
@@ -108,6 +104,5 @@ stdenv.mkDerivation rec {
     license = stdenv.lib.licenses.bsd2;
     platforms = platforms.unix ++ platforms.windows;
     maintainers = with maintainers; [ eelco aneeshusa ];
-    broken = hpnSupport;
   };
 }

pkgs/top-level/all-packages.nix

@@ -12414,7 +12414,9 @@ in
 
   libfakekey = callPackage ../development/libraries/libfakekey { };
 
-  libfido2 = callPackage ../development/libraries/libfido2 { };
+  libfido2 = callPackage ../development/libraries/libfido2 {
+    inherit (darwin.apple_sdk.frameworks) IOKit;
+  };
 
   libfilezilla = callPackage ../development/libraries/libfilezilla { };