From 855db864b0c4d2dcc5ed2f0182ea4a7942314086 Mon Sep 17 00:00:00 2001
From: Linos Giannopoulos <linosgian00@gmail.com>
Date: Wed, 6 Jan 2021 23:19:48 +0200
Subject: [PATCH] openssh: Add FIDO2 hardware token support

Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.

Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.

OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.

[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2
[2]: tools.ietf.org/html/rfc7049

Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>
---
 net/openssh/Config.in | 12 ++++++++++++
 net/openssh/Makefile  | 17 +++++++++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 net/openssh/Config.in

diff --git a/net/openssh/Config.in b/net/openssh/Config.in
new file mode 100644
index 000000000..3690ced2b
--- /dev/null
+++ b/net/openssh/Config.in
@@ -0,0 +1,12 @@
+if PACKAGE_openssh-server
+
+config OPENSSH_LIBFIDO2
+	bool
+	default y
+	prompt "Include libfido2 support in openssh-server"
+	help
+		OpenSSH version 8.2 added two new ssh authentication methods,
+		namely `ecdsa_sk` and `ed25519_sk`. These two methods make use
+		of hardware keys that implement the FIDO and FIDO2 protocols.
+		In order to use these two types, libfido2 is required.
+endif
diff --git a/net/openssh/Makefile b/net/openssh/Makefile
index 1782b02f6..a17f6ff0c 100644
--- a/net/openssh/Makefile
+++ b/net/openssh/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=8.4p1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -21,6 +21,10 @@ PKG_LICENSE_FILES:=LICENCE
 PKG_CPE_ID:=cpe:/a:openssh:openssh
 
 PKG_REMOVE_FILES:=
+PKG_CONFIG_DEPENDS := \
+	CONFIG_OPENSSH_LIBFIDO2
+
+PKG_BUILD_DEPENDS += OPENSSH_LIBFIDO2:libfido2
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -82,11 +86,15 @@ endef
 
 define Package/openssh-server
 	$(call Package/openssh/Default)
-	DEPENDS+= +openssh-keygen
+	DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2
 	TITLE+= server
 	USERID:=sshd=22:sshd=22
 endef
 
+define Package/openssh-server/config
+	source "$(SOURCE)/Config.in"
+endef
+
 define Package/openssh-server/description
 OpenSSH server.
 endef
@@ -164,8 +172,9 @@ CONFIGURE_ARGS += \
 	--without-bsd-auth \
 	--without-kerberos5 \
 	--with-stackprotect \
-	--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine
-
+	--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \
+	--with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin
+	
 ifeq ($(BUILD_VARIANT),with-pam)
 CONFIGURE_ARGS += \
 	--with-pam