Clean up the OpenSSH build. It is now possible to build most components

as static binaries, if desired.  The one exception is sshd, which runs
into trouble due to libpam.a's includion of pam_ssh.

Make OpenSSH use LDNS if available.  This allows it to verify signed
SSHFP records.

Approved by:	re (blanket)

Makefile.inc1

@@ -1470,8 +1470,8 @@ _prebuild_libs=	${_kerberos5_lib_libasn1} \
 		${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \
 		${_cddl_lib_libzfs_core} \
 		lib/libutil ${_lib_libypclnt} lib/libz lib/msun \
-		${_secure_lib_libcrypto} ${_secure_lib_libssh} \
+		${_secure_lib_libcrypto} ${_lib_libldns} \
-		${_secure_lib_libssl}
+		${_secure_lib_libssh} ${_secure_lib_libssl}
 
 .if ${MK_ATF} != "no"
 _lib_atf_libatf_c=	lib/atf/libatf-c
@@ -1507,9 +1507,16 @@ cddl/lib/libzfs_core__L: cddl/lib/libnvpair__L
 _secure_lib_libcrypto= secure/lib/libcrypto
 _secure_lib_libssl= secure/lib/libssl
 lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L
+.if ${MK_LDNS} != "no"
+_lib_libldns= lib/libldns
+lib/libldns__L: secure/lib/libcrypto__L
+.endif
 .if ${MK_OPENSSH} != "no"
 _secure_lib_libssh= secure/lib/libssh
 secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L
+.if ${MK_LDNS} != "no"
+secure/lib/libssh__L: lib/libldns__L
+.endif
 .if ${MK_KERBEROS_SUPPORT} != "no"
 secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
     kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \

secure/lib/libssh/Makefile

@@ -21,17 +21,22 @@ SRCS=	authfd.c authfile.c bufaux.c bufbn.c buffer.c \
 # compiled directly into sshd instead.
 
 # Portability layer
-SRCS+=	bsd-misc.c fmt_scaled.c getrrsetbyname.c glob.c \
+SRCS+=	bsd-misc.c fmt_scaled.c glob.c \
 	openssl-compat.c port-tun.c strtonum.c timingsafe_bcmp.c \
 	vis.c xcrypt.c xmmap.c
 
-.if defined(COMPAT_GETADDRINFO)
+.if ${MK_LDNS} == "no"
-SRCS+=	getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c
+SRCS+=	getrrsetbyname.c
+.else
+LDNSDIR=	${.CURDIR}/../../../contrib/ldns
+CFLAGS+=	-DHAVE_LDNS=1 -I${LDNSDIR}
+SRCS+=	getrrsetbyname-ldns.c
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
 .endif
 
 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
-DPADD=	${LIBZ}
-LDADD=	-lz
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
@@ -45,8 +50,8 @@ CFLAGS+= -DNONE_CIPHER_ENABLED
 
 NO_LINT=
 
-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
+DPADD+=	${LIBCRYPTO} ${LIBCRYPT} ${LIBZ}
-LDADD+=	-lcrypto -lcrypt
+LDADD+=	-lcrypto -lcrypt -lz
 
 .include <bsd.lib.mk>
 

secure/libexec/sftp-server/Makefile

@@ -1,17 +1,31 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=   sftp-server
 SRCS=   sftp-server.c sftp-common.c sftp-server-main.c
 MAN=	sftp-server.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=  -lssh -lcrypt -lcrypto -lz
+LDADD=  -lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+=	${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+=	-lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/libexec/ssh-keysign/Makefile

@@ -1,15 +1,27 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keysign
-SRCS=	ssh-keysign.c readconf.c roaming_dummy.c
+SRCS=	ssh-keysign.c roaming_dummy.c readconf.c
 MAN=	ssh-keysign.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 BINMODE=4555
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/libexec/ssh-pkcs11-helper/Makefile

@@ -1,15 +1,31 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-pkcs11-helper
 SRCS=	ssh-pkcs11.c ssh-pkcs11-helper.c
-SRCS+=	roaming_dummy.c
 MAN=	ssh-pkcs11-helper.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+.if !defined(NO_SHARED)
-LDADD=	-lssh -lcrypt -lcrypto -lz
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif
+
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/scp/Makefile

@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	scp
 SRCS=	scp.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/sftp/Makefile

@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	sftp
 SRCS=   sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES}
+DPADD=	${LIBSSH} ${LIBEDIT} ${LIBNCURSES}
-LDADD=	-lssh -lcrypt -lcrypto -lz -ledit -lncurses
+LDADD=	-lssh -ledit -lncurses
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/ssh-add/Makefile

@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-add
 SRCS+=	ssh-add.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/ssh-agent/Makefile

@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-agent
 SRCS=	ssh-agent.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/ssh-keygen/Makefile

@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keygen
 SRCS=	ssh-keygen.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
-SRCS+=  roaming_dummy.c
+SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/ssh-keyscan/Makefile

@@ -1,13 +1,25 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keyscan
 SRCS=	ssh-keyscan.c roaming_dummy.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+DPADD=	${LIBSSH}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.bin/ssh/Makefile

@@ -1,5 +1,4 @@
 # $FreeBSD$
-#
 
 .include <bsd.own.mk>
 
@@ -16,10 +15,17 @@ SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
 # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
 SRCS+=	gss-genr.c
 
-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ}
+DPADD=	${LIBSSH} ${LIBUTIL}
-LDADD=	-lssh -lutil -lz
+LDADD=	-lssh -lutil
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
 DPADD+=	 ${LIBGSSAPI}
@@ -30,8 +36,8 @@ LDADD+=	 -lgssapi
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-DPADD+=	${LIBCRYPT} ${LIBCRYPTO}
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD+=	-lcrypt -lcrypto
+LDADD+= -lcrypt -lcrypto -lz
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"

secure/usr.sbin/sshd/Makefile

@@ -1,5 +1,4 @@
 # $FreeBSD$
-#
 
 .include <bsd.own.mk>
 
@@ -25,10 +24,17 @@ SRCS+=	gss-genr.c
 MAN=	sshd.8 sshd_config.5
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPAM}
+DPADD=	${LIBSSH} ${LIBUTIL} ${LIBWRAP} ${LIBPAM}
-LDADD=	-lssh -lutil -lz -lwrap ${MINUSLPAM}
+LDADD=	-lssh -lutil -lwrap ${MINUSLPAM}
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_AUDIT} != "no"
 CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
 DPADD+=  ${LIBBSM}
@@ -36,17 +42,20 @@ LDADD+=  -lbsm
 .endif
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
-CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1 -DKRB5 -DHEIMDAL
+CFLAGS+= -DGSSAPI -DKRB5 -DHEIMDAL \
-DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1}
+	-DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1
-LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lasn1
+DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} \
+	${LIBCOM_ERR} ${LIBROKEN} ${LIBWIND} ${LIBHEIMBASE} ${LIBHEIMIPCC}
+LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lhx509 -lasn1 \
+	-lcom_err -lroken -lwind -lheimbase -lheimipcc
 .endif
 
 .if ${MK_OPENSSH_NONE_CIPHER} != "no"
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD+=	-lcrypto -lcrypt
+LDADD+= -lcrypt -lcrypto -lz
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"