Reduce overlinking

The framework now ensure by itself that pthread is added to the link chain
as the last component if linked to kerberos hence avoid with out any explicit
addition prevent issue like CVE-2014-8475

12 files changed, 10 insertions, 33 deletions

diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile
index d23330d..725ace8 100644
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@@ -41,7 +41,6 @@ CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -include krb5_config.h
-LIBADD+=	gssapi krb5 hx509 asn1 com_err md roken
 .endif
 
 .if ${MK_OPENSSH_NONE_CIPHER} != "no"
diff --git a/secure/libexec/sftp-server/Makefile b/secure/libexec/sftp-server/Makefile
index 3e55cc9..3ec21fd 100644
--- a/secure/libexec/sftp-server/Makefile
+++ b/secure/libexec/sftp-server/Makefile
@@ -21,8 +21,6 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypto crypto z
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/libexec/ssh-keysign/Makefile b/secure/libexec/ssh-keysign/Makefile
index 01e51ef..9efad92 100644
--- a/secure/libexec/ssh-keysign/Makefile
+++ b/secure/libexec/ssh-keysign/Makefile
@@ -17,7 +17,7 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypt crypto z
+LIBADD+=	crypto
 
 .include <bsd.prog.mk>
 
diff --git a/secure/libexec/ssh-pkcs11-helper/Makefile b/secure/libexec/ssh-pkcs11-helper/Makefile
index 55f151a..6733048 100644
--- a/secure/libexec/ssh-pkcs11-helper/Makefile
+++ b/secure/libexec/ssh-pkcs11-helper/Makefile
@@ -21,7 +21,7 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypt crypto z
+LIBADD+=	crypto
 
 .include <bsd.prog.mk>
 
diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile
index 12a3caf..203fbc3 100644
--- a/secure/usr.bin/scp/Makefile
+++ b/secure/usr.bin/scp/Makefile
@@ -20,8 +20,6 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypt crypto z
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile
index ef130d8..42728be 100644
--- a/secure/usr.bin/sftp/Makefile
+++ b/secure/usr.bin/sftp/Makefile
@@ -20,8 +20,6 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIABDD+=	crypt crypto z
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile
index 2484a7b..ec6ebc1 100644
--- a/secure/usr.bin/ssh-add/Makefile
+++ b/secure/usr.bin/ssh-add/Makefile
@@ -20,8 +20,6 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypt crypto z
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile
index 807f747..e263dec 100644
--- a/secure/usr.bin/ssh-agent/Makefile
+++ b/secure/usr.bin/ssh-agent/Makefile
@@ -20,7 +20,7 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypt crypto z
+LIBADD+=	crypto
 
 .include <bsd.prog.mk>
 
diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile
index c2654ba..db8dc7e 100644
--- a/secure/usr.bin/ssh-keygen/Makefile
+++ b/secure/usr.bin/ssh-keygen/Makefile
@@ -15,10 +15,9 @@ LIBADD=	ssh
 
 .if ${MK_LDNS} != "no"
 CFLAGS+=	-DHAVE_LDNS=1
-LIBADD+=	ldns
 .endif
 
-LIBADD+=	crypt crypto z
+LIBADD+=	crypto
 
 .include <bsd.prog.mk>
 
diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile
index b4f97a5..b6b5060 100644
--- a/secure/usr.bin/ssh-keyscan/Makefile
+++ b/secure/usr.bin/ssh-keyscan/Makefile
@@ -15,8 +15,6 @@ CFLAGS+=	-DHAVE_LDNS=1
 #USEPRIVATELIB+= ldns
 .endif
 
-LIBADD+=	crypt crypto z
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index 2f2f97b..b29ee2e 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -15,11 +15,10 @@ SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
 # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
 SRCS+=	gss-genr.c
 
-LIBADD=	ssh util
+LIBADD=	ssh
 
 .if ${MK_LDNS} != "no"
 CFLAGS+=	-DHAVE_LDNS=1
-LIBADD+=	ldns
 .endif
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
@@ -31,7 +30,7 @@ LIBADD+=	gssapi
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-LIBADD+=	crypt crypto z
+LIBADD+=	crypto
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index f95c8c6..f2c7e36 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -25,7 +25,8 @@ SRCS+=	gss-genr.c
 MAN=	sshd.8 sshd_config.5
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-LIBADD=	ssh util wrap pam
+# pam should always happen before ssh here for static linking
+LIBADD=	pam ssh util wrap
 
 .if ${MK_LDNS} != "no"
 CFLAGS+=	-DHAVE_LDNS=1
@@ -41,25 +42,14 @@ LIBADD+=	bsm
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -include krb5_config.h
-LIBADD+=	gssapi_krb5 gssapi krb5 hx509 asn1 com_err roken wind heimbase \
-		heimipcc
+LIBADD+=	gssapi_krb5 gssapi krb5
 .endif
 
 .if ${MK_OPENSSH_NONE_CIPHER} != "no"
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-LIBADD+= crypt crypto z
-
-# Fix the order of NEEDED entries for libthr and libc. The libthr
-# needs to interpose libc symbols, leaving the libthr loading as
-# dependency of krb causes reversed order and broken interposing. Put
-# the threading library last on the linker command line, just before
-# the -lc added by a compiler driver.
-# XXX In theory the framework now takes care of that, it needs to be checked
-.if ${MK_KERBEROS_SUPPORT} != "no"
-LIBADD+=	pthread
-.endif
+LIBADD+=	crypto
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"