Package: libfido2-1 Version: 1.17.0-1 Severity: wishlist Tags: patch Enable USE_PCSC at build time, so libfido2 can use FIDO devices over PCSC/contactless smartcard readers (e.g. NFC taps via a USB CCID reader), not just the Linux kernel NFC subsystem or USB HID.
Background ---------- libfido2 has three transports on Linux: USB HID, the kernel NFC subsystem (NFC_LINUX), and PCSC (USE_PCSC). The PCSC transport is for contactless readers that the kernel's NFC subsystem doesn't drive directly -- e.g. PC/SC-class readers like the ACS ACR1252, which are common, inexpensive, and already fully supported by pcscd/pcsc-lite in Debian. Upstream's CMakeLists.txt defaults USE_PCSC to ON on the current main branch, but the maintainers disable it in the CMakeLists.txt shipped in each release tag just before cutting a release, considering it "experimental" (see upstream discussion: https://github.com/Yubico/libfido2/discussions/855). Because of that, every tagged release -- including 1.17.0 -- ships with USE_PCSC OFF by default, and Debian's debian/rules doesn't override it, so the built libfido2-1 package has no PCSC support at all (confirmed via ldd: no libpcsclite linkage). libpcsclite-dev also isn't currently a Build-Depends. Since Debian already ships pcsc-lite and pcscd, and libpcsclite-dev is readily available, there's no reason PCSC support can't be built in alongside the existing USB and kernel-NFC transports. Evidence it works ------------------ I built libfido2 from the upstream main branch with -DUSE_PCSC=ON (pkg_check_modules picks up libpcsclite cleanly, no patches needed to libfido2 itself), then built libpam-u2f 1.4.0 against it. Tested against a YubiKey 5-series key resting on an ACS ACR1252 Dual Reader's contactless (PICC) interface, with no USB connection: $ fido2-token -L pcsc://slot0: vendor=0x0000, product=0x0000 (PC/SC ACS ACR1252 Dual Reader [ACR1252 Dual Reader PICC] 00 00) $ fido2-token -I pcsc://slot0 [... full CTAP2 getInfo response, including "transport strings: nfc, usb" ...] I then used the same setup for real: pam_u2f authenticating `sudo` over this transport, with the existing U2F credential (originally registered over USB) working unmodified over PCSC/NFC -- no re-enrollment needed, no APDU-chaining errors, clean round trip. Proposed patch -------------- Attached: two-line change to debian/control (add libpcsclite-dev to Build-Depends) and debian/rules (pass -DUSE_PCSC=ON to dh_auto_configure), diffed against debian/sid HEAD (56ac1a33ba8953bec4fcc10243c6fb2d8b288c8d). -- System Information: Debian Release: forky/sid APT prefers resolute-updates APT policy: (500, 'resolute-updates'), (500, 'resolute-security'), (500, 'resolute') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 7.0.0-22-generic (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libfido2-1 depends on: ii libc6 2.43-2ubuntu2 ii libcbor0.10 0.10.2-2ubuntu3 ii libssl3t64 3.5.5-1ubuntu3.2 ii libudev1 259.5-0ubuntu3 ii zlib1g 1:1.3.dfsg+really1.3.1-1ubuntu3 libfido2-1 recommends no packages. libfido2-1 suggests no packages. -- no debconf information

