Clean up the OpenSSH build. It is now possible to build most components

as static binaries, if desired. The one exception is sshd, which runs into trouble due to libpam.a's includion of pam_ssh. Make OpenSSH use LDNS if available. This allows it to verify signed SSHFP records. Approved by: re (blanket)
2013-09-10 22:26:11 +00:00 · 2013-09-10 22:26:11 +00:00 · 9cfa8b3fee
commit 9cfa8b3fee
parent 27789e56b2
13 changed files with 199 additions and 48 deletions
--- a/Makefile.inc1
+++ b/Makefile.inc1
@ -1470,8 +1470,8 @@ _prebuild_libs=	${_kerberos5_lib_libasn1} \
 		${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \
 		${_cddl_lib_libzfs_core} \
 		lib/libutil ${_lib_libypclnt} lib/libz lib/msun \
-		${_secure_lib_libcrypto} ${_secure_lib_libssh} \
-		${_secure_lib_libssl}
+		${_secure_lib_libcrypto} ${_lib_libldns} \
+		${_secure_lib_libssh} ${_secure_lib_libssl}

 .if ${MK_ATF} != "no"
 _lib_atf_libatf_c=	lib/atf/libatf-c
@ -1507,9 +1507,16 @@ cddl/lib/libzfs_core__L: cddl/lib/libnvpair__L
 _secure_lib_libcrypto= secure/lib/libcrypto
 _secure_lib_libssl= secure/lib/libssl
 lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L
+.if ${MK_LDNS} != "no"
+_lib_libldns= lib/libldns
+lib/libldns__L: secure/lib/libcrypto__L
+.endif
 .if ${MK_OPENSSH} != "no"
 _secure_lib_libssh= secure/lib/libssh
 secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L
+.if ${MK_LDNS} != "no"
+secure/lib/libssh__L: lib/libldns__L
+.endif
 .if ${MK_KERBEROS_SUPPORT} != "no"
 secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
    kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@ -21,17 +21,22 @@ SRCS=	authfd.c authfile.c bufaux.c bufbn.c buffer.c \
 # compiled directly into sshd instead.

 # Portability layer
-SRCS+=	bsd-misc.c fmt_scaled.c getrrsetbyname.c glob.c \
+SRCS+=	bsd-misc.c fmt_scaled.c glob.c \
 	openssl-compat.c port-tun.c strtonum.c timingsafe_bcmp.c \
 	vis.c xcrypt.c xmmap.c

-.if defined(COMPAT_GETADDRINFO)
-SRCS+=	getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c
+.if ${MK_LDNS} == "no"
+SRCS+=	getrrsetbyname.c
+.else
+LDNSDIR=	${.CURDIR}/../../../contrib/ldns
+CFLAGS+=	-DHAVE_LDNS=1 -I${LDNSDIR}
+SRCS+=	getrrsetbyname-ldns.c
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
 .endif

 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
-DPADD=	${LIBZ}
-LDADD=	-lz

 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
@ -45,8 +50,8 @@ CFLAGS+= -DNONE_CIPHER_ENABLED

 NO_LINT=

-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
-LDADD+=	-lcrypto -lcrypt
+DPADD+=	${LIBCRYPTO} ${LIBCRYPT} ${LIBZ}
+LDADD+=	-lcrypto -lcrypt -lz

 .include <bsd.lib.mk>

--- a/secure/libexec/sftp-server/Makefile
+++ b/secure/libexec/sftp-server/Makefile
@ -1,17 +1,31 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=   sftp-server
 SRCS=   sftp-server.c sftp-common.c sftp-server-main.c
 MAN=	sftp-server.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=  -lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=  -lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+=	${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+=	-lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/libexec/ssh-keysign/Makefile
+++ b/secure/libexec/ssh-keysign/Makefile
@ -1,15 +1,27 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	ssh-keysign
-SRCS=	ssh-keysign.c readconf.c roaming_dummy.c
+SRCS=	ssh-keysign.c roaming_dummy.c readconf.c
 MAN=	ssh-keysign.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 BINMODE=4555

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/libexec/ssh-pkcs11-helper/Makefile
+++ b/secure/libexec/ssh-pkcs11-helper/Makefile
@ -1,15 +1,31 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	ssh-pkcs11-helper
 SRCS=	ssh-pkcs11.c ssh-pkcs11-helper.c
-SRCS+=	roaming_dummy.c
 MAN=	ssh-pkcs11-helper.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif
+
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/scp/Makefile
+++ b/secure/usr.bin/scp/Makefile
@ -1,16 +1,30 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	scp
 SRCS=	scp.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/sftp/Makefile
+++ b/secure/usr.bin/sftp/Makefile
@ -1,16 +1,30 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	sftp
 SRCS=   sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES}
-LDADD=	-lssh -lcrypt -lcrypto -lz -ledit -lncurses
+DPADD=	${LIBSSH} ${LIBEDIT} ${LIBNCURSES}
+LDADD=	-lssh -ledit -lncurses
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/ssh-add/Makefile
+++ b/secure/usr.bin/ssh-add/Makefile
@ -1,16 +1,30 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	ssh-add
 SRCS+=	ssh-add.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/ssh-agent/Makefile
+++ b/secure/usr.bin/ssh-agent/Makefile
@ -1,16 +1,30 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	ssh-agent
 SRCS=	ssh-agent.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/ssh-keygen/Makefile
+++ b/secure/usr.bin/ssh-keygen/Makefile
@ -1,16 +1,30 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	ssh-keygen
 SRCS=	ssh-keygen.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-# required when linking with a dynamic libssh 
-SRCS+=  roaming_dummy.c
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/ssh-keyscan/Makefile
+++ b/secure/usr.bin/ssh-keyscan/Makefile
@ -1,13 +1,25 @@
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	ssh-keyscan
 SRCS=	ssh-keyscan.c roaming_dummy.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@ -1,5 +1,4 @@
 # $FreeBSD$
-#

 .include <bsd.own.mk>

@ -16,10 +15,17 @@ SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
 # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
 SRCS+=	gss-genr.c

-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ}
-LDADD=	-lssh -lutil -lz
+DPADD=	${LIBSSH} ${LIBUTIL}
+LDADD=	-lssh -lutil
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
 DPADD+=	 ${LIBGSSAPI}
@ -30,8 +36,8 @@ LDADD+=	 -lgssapi
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif

-DPADD+=	${LIBCRYPT} ${LIBCRYPTO}
-LDADD+=	-lcrypt -lcrypto
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz

 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@ -1,5 +1,4 @@
 # $FreeBSD$
-#

 .include <bsd.own.mk>

@ -25,10 +24,17 @@ SRCS+=	gss-genr.c
 MAN=	sshd.8 sshd_config.5
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h

-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPAM}
-LDADD=	-lssh -lutil -lz -lwrap ${MINUSLPAM}
+DPADD=	${LIBSSH} ${LIBUTIL} ${LIBWRAP} ${LIBPAM}
+LDADD=	-lssh -lutil -lwrap ${MINUSLPAM}
 USEPRIVATELIB= ssh

+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_AUDIT} != "no"
 CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
 DPADD+=  ${LIBBSM}
@ -36,17 +42,20 @@ LDADD+=  -lbsm
 .endif

 .if ${MK_KERBEROS_SUPPORT} != "no"
-CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1 -DKRB5 -DHEIMDAL
-DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1}
-LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lasn1
+CFLAGS+= -DGSSAPI -DKRB5 -DHEIMDAL \
+	-DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1
+DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} \
+	${LIBCOM_ERR} ${LIBROKEN} ${LIBWIND} ${LIBHEIMBASE} ${LIBHEIMIPCC}
+LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lhx509 -lasn1 \
+	-lcom_err -lroken -lwind -lheimbase -lheimipcc
 .endif

 .if ${MK_OPENSSH_NONE_CIPHER} != "no"
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif

-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
-LDADD+=	-lcrypto -lcrypt
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz

 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"