git: c437ff145cbe - stable/13 - Add libfido2 to the build

From: Ed Maste <>
Date: Wed, 09 Feb 2022 23:58:18 UTC
The branch stable/13 has been updated by emaste:


commit c437ff145cbe5a6173f49472fe5f1ae4c686f121
Author:     Ed Maste <>
AuthorDate: 2021-10-07 01:52:05 +0000
Commit:     Ed Maste <>
CommitDate: 2022-02-09 21:24:54 +0000

    Add libfido2 to the build
        libfido2 provides library functionality and command-line tools to
        communicate with a FIDO device over USB, and to verify attestation
        and assertion signatures.
        libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2)
    libfido2 will be used by ssh to support FIDO/U2F keys. It is currently
    intended only for use by ssh, and so is installed as a PRIVATELIB and is
    placed in the ssh pkgbase package.
    This is currently disabled for the 32-bit library build as libfido2 is
    not compatible with the COMPAT_32BIT hack in usb_ioctl.h.
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:
    (cherry picked from commit 7b1e19ad78c6a3f84f81cb1a16a39500f0337062)
    (cherry picked from commit 93942379cced89ad4ac653f262ac8277a8550853)
 lib/Makefile                             |  4 +-
 lib/libfido2/Makefile                    | 73 ++++++++++++++++++++++++++++++++
 share/mk/                 |  3 ++
 tools/build/mk/ |  3 ++
 4 files changed, 81 insertions(+), 2 deletions(-)

diff --git a/lib/Makefile b/lib/Makefile
index 8b1365e3e59e..5e740edc78a5 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -211,8 +211,8 @@ SUBDIR.${MK_BHYVE}+=	libvmmapi
 .if ${MACHINE_ARCH} != "powerpc"
 SUBDIR.${MK_OPENMP}+=	libomp
-.if !defined(COMPAT_32BIT)
-SUBDIR.${MK_OPENSSH}+=	libcbor
+.if !defined(COMPAT_32BIT) && ${MK_USB} != "no"
+SUBDIR.${MK_OPENSSH}+=	libcbor libfido2
 SUBDIR.${MK_PF}+=	libpfctl
diff --git a/lib/libfido2/Makefile b/lib/libfido2/Makefile
new file mode 100644
index 000000000000..edf737b9dafc
--- /dev/null
+++ b/lib/libfido2/Makefile
@@ -0,0 +1,73 @@
+LIB=	fido2
+DIST=	${SRCTOP}/contrib/libfido2
+.PATH:	${DIST}/src ${DIST}
+SRCS+=	aes256.c
+SRCS+=	assert.c
+SRCS+=	authkey.c
+SRCS+=	bio.c
+SRCS+=	blob.c
+SRCS+=	buf.c
+SRCS+=	cbor.c
+SRCS+=	compress.c
+SRCS+=	config.c
+SRCS+=	cred.c
+SRCS+=	credman.c
+SRCS+=	dev.c
+SRCS+=	ecdh.c
+SRCS+=	eddsa.c
+SRCS+=	err.c
+SRCS+=	es256.c
+SRCS+=	hid_freebsd.c
+SRCS+=	hid_unix.c
+SRCS+=	hid.c
+SRCS+=	info.c
+SRCS+=	io.c
+SRCS+=	iso7816.c
+SRCS+=	largeblob.c
+SRCS+=	log.c
+SRCS+=	pin.c
+SRCS+=	random.c
+SRCS+=	reset.c
+SRCS+=	rs256.c
+SRCS+=	u2f.c
+SRCS+=	openbsd-compat/freezero.c
+SRCS+=	openbsd-compat/recallocarray.c
+CFLAGS+= -I ${DIST}/src -I${SRCTOP}/contrib/libcbor/src -I${.CURDIR}/../libcbor
+CFLAGS+= -DTLS=__thread
+LIBADD=	crypto z
+.include <>
diff --git a/share/mk/ b/share/mk/
index ef21399af7b6..99d416556b54 100644
--- a/share/mk/
+++ b/share/mk/
@@ -20,6 +20,7 @@ _PRIVATELIBS=	\
 		cbor \
 		devdctl \
 		event1 \
+		fido2 \
 		gmock \
 		gtest \
 		gmock_main \
@@ -349,6 +350,7 @@ _DP_pam=	radius tacplus opie md util
 _DP_pam+=	krb5
 .if ${MK_OPENSSH} != "no"
+_DP_fido2+=	crypto z
 _DP_pam+=	ssh
 .if ${MK_NIS} != "no"
@@ -707,6 +709,7 @@ LIBCAP_SYSCTLDIR=	${OBJTOP}/lib/libcasper/services/cap_sysctl
 LIBCAP_SYSLOGDIR=	${OBJTOP}/lib/libcasper/services/cap_syslog
 LIBCBORDIR=	${OBJTOP}/lib/libcbor
 LIBBSDXMLDIR=	${OBJTOP}/lib/libexpat
+LIBFIDO2DIR=	${OBJTOP}/lib/libfido2
 LIBKVMDIR=	${OBJTOP}/lib/libkvm
 LIBMDIR=	${OBJTOP}/lib/msun
diff --git a/tools/build/mk/ b/tools/build/mk/
index 02b239f33a8e..972a58a330dc 100644
--- a/tools/build/mk/
+++ b/tools/build/mk/
@@ -7200,6 +7200,9 @@ OLD_FILES+=usr/bin/ssh-keyscan