From 42e2f427e699ce9901d8b5e1904853ddb0364b71 Mon Sep 17 00:00:00 2001 From: Linos Giannopoulos Date: Wed, 6 Jan 2021 03:43:55 +0200 Subject: [PATCH 1/3] libcbor: Add new package Libcbor is a C library for parsing and generating CBOR[0], the general-purpose schema-less binary data format. [0]: https://tools.ietf.org/html/rfc7049 Signed-off-by: Linos Giannopoulos --- libs/libcbor/Makefile | 47 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 libs/libcbor/Makefile diff --git a/libs/libcbor/Makefile b/libs/libcbor/Makefile new file mode 100644 index 000000000..7c0735f28 --- /dev/null +++ b/libs/libcbor/Makefile @@ -0,0 +1,47 @@ +# +# Copyright (C) 2020 Linos Giannopoulos +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libcbor +PKG_VERSION:=0.8.0 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/PJK/libcbor/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=618097166ea4a54499646998ccaa949a5816e6a665cf1d6df383690895217c8b + +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=COPYING +PKG_MAINTAINER:=Linos Giannopoulos + +CMAKE_OPTIONS += \ + -DBUILD_SHARED_LIBS=ON +CMAKE_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/libcbor + SECTION:=libs + CATEGORY:=Libraries + TITLE:=libcbor + URL:=https://github.com/PJK/libcbor + ABI_VERSION:=0 +endef + +define Package/libcbor/description + libcbor is a C library for parsing and generating CBOR, the general-purpose schema-less binary data format. +endef + + +define Package/libcbor/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libcbor.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libcbor)) From 1ce5b104259503be843f7a92a8955ad5021fda04 Mon Sep 17 00:00:00 2001 From: Linos Giannopoulos Date: Wed, 6 Jan 2021 23:03:56 +0200 Subject: [PATCH 2/3] libfido2: Add new package libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB, and to verify attestation and assertion signatures. libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols. Signed-off-by: Linos Giannopoulos --- libs/libfido2/Makefile | 51 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 libs/libfido2/Makefile diff --git a/libs/libfido2/Makefile b/libs/libfido2/Makefile new file mode 100644 index 000000000..81fb22cf9 --- /dev/null +++ b/libs/libfido2/Makefile @@ -0,0 +1,51 @@ +# +# Copyright (C) 2020 Linos Giannopoulos +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libfido2 +PKG_VERSION:=1.6.0 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/Yubico/libfido2/tar.gz/$(PKG_VERSION)? +PKG_HASH:=6aed47aafd22be49c38f9281fb88ccd08c98678d9b8c39cdc87d1bb3ea2c63e4 + +PKG_FORTIFY_SOURCE:=0 +CMAKE_INSTALL:=1 + +TARGET_CFLAGS += -Wno-error=overflow -Wno-error=sign-conversion + +PKG_MAINTAINER:=Linos Giannopoulos +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=COPYING + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/libfido2 + SECTION:=libs + CATEGORY:=Libraries + TITLE:=FIDO2 Library + URL:=https://github.com/Yubico/libfido2 + ABI_VERSION:=1 + DEPENDS += +libcbor +libopenssl +libudev +endef + +define Package/libfido2/description + libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB, and to verify attestation and assertion signatures. + + libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols. +endef + + +define Package/libfido2/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libfido2.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libfido2)) From 855db864b0c4d2dcc5ed2f0182ea4a7942314086 Mon Sep 17 00:00:00 2001 From: Linos Giannopoulos Date: Wed, 6 Jan 2021 23:19:48 +0200 Subject: [PATCH 3/3] openssh: Add FIDO2 hardware token support Version 8.2[0] added support for two new key types: "ecdsa-sk" and "ed25519-sk". These two type enable the usage of hardware tokens that implement the FIDO (or FIDO2) standard, as an authentication method for SSH. Since we're already on version 8.4 all we need to do is to explicitly enable the support for hardware keys when compiling OpenSSH and add all the missing dependencies OpenSSH requires. OpenSSH depends on libfido2[1], to communicate with the FIDO devices over USB. In turn, libfido2 depends on libcbor, a C implementation of the CBOR protocol[2] and OpenSSL. [0]: https://lwn.net/Articles/812537/ [1]: https://github.com/Yubico/libfido2 [2]: tools.ietf.org/html/rfc7049 Signed-off-by: Linos Giannopoulos --- net/openssh/Config.in | 12 ++++++++++++ net/openssh/Makefile | 17 +++++++++++++---- 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 net/openssh/Config.in diff --git a/net/openssh/Config.in b/net/openssh/Config.in new file mode 100644 index 000000000..3690ced2b --- /dev/null +++ b/net/openssh/Config.in @@ -0,0 +1,12 @@ +if PACKAGE_openssh-server + +config OPENSSH_LIBFIDO2 + bool + default y + prompt "Include libfido2 support in openssh-server" + help + OpenSSH version 8.2 added two new ssh authentication methods, + namely `ecdsa_sk` and `ed25519_sk`. These two methods make use + of hardware keys that implement the FIDO and FIDO2 protocols. + In order to use these two types, libfido2 is required. +endif diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 1782b02f6..a17f6ff0c 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh PKG_VERSION:=8.4p1 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ @@ -21,6 +21,10 @@ PKG_LICENSE_FILES:=LICENCE PKG_CPE_ID:=cpe:/a:openssh:openssh PKG_REMOVE_FILES:= +PKG_CONFIG_DEPENDS := \ + CONFIG_OPENSSH_LIBFIDO2 + +PKG_BUILD_DEPENDS += OPENSSH_LIBFIDO2:libfido2 include $(INCLUDE_DIR)/package.mk @@ -82,11 +86,15 @@ endef define Package/openssh-server $(call Package/openssh/Default) - DEPENDS+= +openssh-keygen + DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2 TITLE+= server USERID:=sshd=22:sshd=22 endef +define Package/openssh-server/config + source "$(SOURCE)/Config.in" +endef + define Package/openssh-server/description OpenSSH server. endef @@ -164,8 +172,9 @@ CONFIGURE_ARGS += \ --without-bsd-auth \ --without-kerberos5 \ --with-stackprotect \ - --with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine - + --with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \ + --with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin + ifeq ($(BUILD_VARIANT),with-pam) CONFIGURE_ARGS += \ --with-pam