git: faa9ffff57d4 - stable/13 - ssh: generate SK config file using private cbor and fido2 libs

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Fri, 15 Apr 2022 16:37:18 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=faa9ffff57d4620142b195560a425c497673ac2b

commit faa9ffff57d4620142b195560a425c497673ac2b
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-03-01 21:39:16 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-15 16:30:37 +0000

    ssh: generate SK config file using private cbor and fido2 libs
    
    Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
    pass -I paths to libcbor and libfido2's contrib src location.
    
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34440
    
    (cherry picked from commit 73104d583850f7447ae1fe70c59a42e69d9d407c)
---
 crypto/openssh/configure.ac         |  6 +++---
 crypto/openssh/freebsd-configure.sh | 22 +++++++++++++++++++---
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index 428f3ff55a87..28a64d8f07db 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -3263,16 +3263,16 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
 		LIBFIDO2=`$PKGCONFIG --libs libfido2`
 		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
 	else
-		LIBFIDO2="-lfido2 -lcbor"
+		LIBFIDO2="-lprivatefido2 -lprivatecbor"
 	fi
 	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
-	AC_CHECK_LIB([fido2], [fido_init],
+	AC_CHECK_LIB([privatefido2], [fido_init],
 		[
 			AC_SUBST([LIBFIDO2])
 			AC_DEFINE([ENABLE_SK_INTERNAL], [],
 			    [Enable for built-in U2F/FIDO support])
 			enable_sk="built-in"
-		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
+		], [ AC_MSG_ERROR([no usable libprivatefido2 found]) ],
 		[ $OTHERLIBS ]
 	)
 	saved_LIBS="$LIBS"
diff --git a/crypto/openssh/freebsd-configure.sh b/crypto/openssh/freebsd-configure.sh
index 4d405a0ffacb..3cde318ade58 100755
--- a/crypto/openssh/freebsd-configure.sh
+++ b/crypto/openssh/freebsd-configure.sh
@@ -12,7 +12,6 @@ configure_args="
     --with-libedit
     --with-ssl-engine
     --without-xauth
-    --without-security-key-builtin
 "
 
 set -e
@@ -34,11 +33,28 @@ sh configure $configure_args --with-kerberos5=/usr
 mv config.log config.log.kerberos5
 mv config.h config.h.kerberos5
 
-# Generate config.h without krb5
-sh configure $configure_args --without-kerberos5
+# Generate config.h with built-in security key support
+#
+# We install libcbor and libfido2 as PRIVATELIB, so the headers are not
+# available for configure - add their paths via CFLAGS as a slight hack.
+# configure.ac is also patched to specify -lprivatecbor and -lprivatefido2
+# rather than -lcbor and -lfido2.
+export CFLAGS="-I$openssh/../../contrib/libcbor/src -I$openssh/../../contrib/libfido2/src"
+sh configure $configure_args --with-security-key-builtin
+unset CFLAGS
+mv config.log config.log.sk-builtin
+mv config.h config.h.sk-builtin
+
+# Generate config.h without krb5 or SK support
+sh configure $configure_args --without-kerberos5 --without-security-key-builtin
 
 # Extract the difference
 echo '/* $Free''BSD$ */' > krb5_config.h
 diff -u config.h.kerberos5 config.h |
 	sed -n '/^-#define/s/^-//p' |
 	grep -Ff /dev/stdin config.h.kerberos5 >> krb5_config.h
+
+# Extract the difference - SK
+diff -u config.h.sk-builtin config.h |
+    sed -n '/^-#define/s/^-//p' |
+    grep -Ff /dev/stdin config.h.sk-builtin > sk_config.h