From 2a9ec0fc3edd2edc5766e11fa312e8ab8a128d5f Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 22:26:11 +0000
Subject: Clean up the OpenSSH build.  It is now possible to build most
 components as static binaries, if desired.  The one exception is sshd, which
 runs into trouble due to libpam.a's includion of pam_ssh.

Make OpenSSH use LDNS if available.  This allows it to verify signed
SSHFP records.

Approved by:	re (blanket)
---
 secure/lib/libssh/Makefile                | 19 ++++++++++++-------
 secure/libexec/sftp-server/Makefile       | 20 +++++++++++++++++---
 secure/libexec/ssh-keysign/Makefile       | 18 +++++++++++++++---
 secure/libexec/ssh-pkcs11-helper/Makefile | 22 +++++++++++++++++++---
 secure/usr.bin/scp/Makefile               | 18 ++++++++++++++++--
 secure/usr.bin/sftp/Makefile              | 20 +++++++++++++++++---
 secure/usr.bin/ssh-add/Makefile           | 20 +++++++++++++++++---
 secure/usr.bin/ssh-agent/Makefile         | 20 +++++++++++++++++---
 secure/usr.bin/ssh-keygen/Makefile        | 22 ++++++++++++++++++----
 secure/usr.bin/ssh-keyscan/Makefile       | 16 ++++++++++++++--
 secure/usr.bin/ssh/Makefile               | 16 +++++++++++-----
 secure/usr.sbin/sshd/Makefile             | 25 +++++++++++++++++--------
 12 files changed, 190 insertions(+), 46 deletions(-)

(limited to 'secure')

diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile
index 3d30a18..387272b 100644
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@@ -21,17 +21,22 @@ SRCS=	authfd.c authfile.c bufaux.c bufbn.c buffer.c \
 # compiled directly into sshd instead.
 
 # Portability layer
-SRCS+=	bsd-misc.c fmt_scaled.c getrrsetbyname.c glob.c \
+SRCS+=	bsd-misc.c fmt_scaled.c glob.c \
 	openssl-compat.c port-tun.c strtonum.c timingsafe_bcmp.c \
 	vis.c xcrypt.c xmmap.c
 
-.if defined(COMPAT_GETADDRINFO)
-SRCS+=	getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c
+.if ${MK_LDNS} == "no"
+SRCS+=	getrrsetbyname.c
+.else
+LDNSDIR=	${.CURDIR}/../../../contrib/ldns
+CFLAGS+=	-DHAVE_LDNS=1 -I${LDNSDIR}
+SRCS+=	getrrsetbyname-ldns.c
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
 .endif
 
 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
-DPADD=	${LIBZ}
-LDADD=	-lz
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
@@ -45,8 +50,8 @@ CFLAGS+= -DNONE_CIPHER_ENABLED
 
 NO_LINT=
 
-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
-LDADD+=	-lcrypto -lcrypt
+DPADD+=	${LIBCRYPTO} ${LIBCRYPT} ${LIBZ}
+LDADD+=	-lcrypto -lcrypt -lz
 
 .include <bsd.lib.mk>
 
diff --git a/secure/libexec/sftp-server/Makefile b/secure/libexec/sftp-server/Makefile
index 3755c98..ef56013 100644
--- a/secure/libexec/sftp-server/Makefile
+++ b/secure/libexec/sftp-server/Makefile
@@ -1,17 +1,31 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=   sftp-server
 SRCS=   sftp-server.c sftp-common.c sftp-server-main.c
 MAN=	sftp-server.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=  -lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=  -lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+=	${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+=	-lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/libexec/ssh-keysign/Makefile b/secure/libexec/ssh-keysign/Makefile
index 66528e3..7deda19 100644
--- a/secure/libexec/ssh-keysign/Makefile
+++ b/secure/libexec/ssh-keysign/Makefile
@@ -1,15 +1,27 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keysign
-SRCS=	ssh-keysign.c readconf.c roaming_dummy.c
+SRCS=	ssh-keysign.c roaming_dummy.c readconf.c
 MAN=	ssh-keysign.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 BINMODE=4555
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/libexec/ssh-pkcs11-helper/Makefile b/secure/libexec/ssh-pkcs11-helper/Makefile
index ec57a61..4682929 100644
--- a/secure/libexec/ssh-pkcs11-helper/Makefile
+++ b/secure/libexec/ssh-pkcs11-helper/Makefile
@@ -1,15 +1,31 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-pkcs11-helper
 SRCS=	ssh-pkcs11.c ssh-pkcs11-helper.c
-SRCS+=	roaming_dummy.c
 MAN=	ssh-pkcs11-helper.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif
+
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile
index fe248ab..c33470c 100644
--- a/secure/usr.bin/scp/Makefile
+++ b/secure/usr.bin/scp/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	scp
 SRCS=	scp.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile
index 8164dac..924e1a7 100644
--- a/secure/usr.bin/sftp/Makefile
+++ b/secure/usr.bin/sftp/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	sftp
 SRCS=   sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES}
-LDADD=	-lssh -lcrypt -lcrypto -lz -ledit -lncurses
+DPADD=	${LIBSSH} ${LIBEDIT} ${LIBNCURSES}
+LDADD=	-lssh -ledit -lncurses
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile
index cb14ce6..316a607 100644
--- a/secure/usr.bin/ssh-add/Makefile
+++ b/secure/usr.bin/ssh-add/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-add
 SRCS+=	ssh-add.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile
index 29620d1..353abac 100644
--- a/secure/usr.bin/ssh-agent/Makefile
+++ b/secure/usr.bin/ssh-agent/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-agent
 SRCS=	ssh-agent.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile
index 48e486e..75934d9 100644
--- a/secure/usr.bin/ssh-keygen/Makefile
+++ b/secure/usr.bin/ssh-keygen/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keygen
 SRCS=	ssh-keygen.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
-SRCS+=  roaming_dummy.c
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile
index cc82d07..7dcb4d1 100644
--- a/secure/usr.bin/ssh-keyscan/Makefile
+++ b/secure/usr.bin/ssh-keyscan/Makefile
@@ -1,13 +1,25 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keyscan
 SRCS=	ssh-keyscan.c roaming_dummy.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index a5e5808..459d21f 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -1,5 +1,4 @@
 # $FreeBSD$
-#
 
 .include <bsd.own.mk>
 
@@ -16,10 +15,17 @@ SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
 # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
 SRCS+=	gss-genr.c
 
-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ}
-LDADD=	-lssh -lutil -lz
+DPADD=	${LIBSSH} ${LIBUTIL}
+LDADD=	-lssh -lutil
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
 DPADD+=	 ${LIBGSSAPI}
@@ -30,8 +36,8 @@ LDADD+=	 -lgssapi
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-DPADD+=	${LIBCRYPT} ${LIBCRYPTO}
-LDADD+=	-lcrypt -lcrypto
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index bb37ae4..daba994 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -1,5 +1,4 @@
 # $FreeBSD$
-#
 
 .include <bsd.own.mk>
 
@@ -25,10 +24,17 @@ SRCS+=	gss-genr.c
 MAN=	sshd.8 sshd_config.5
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPAM}
-LDADD=	-lssh -lutil -lz -lwrap ${MINUSLPAM}
+DPADD=	${LIBSSH} ${LIBUTIL} ${LIBWRAP} ${LIBPAM}
+LDADD=	-lssh -lutil -lwrap ${MINUSLPAM}
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_AUDIT} != "no"
 CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
 DPADD+=  ${LIBBSM}
@@ -36,17 +42,20 @@ LDADD+=  -lbsm
 .endif
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
-CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1 -DKRB5 -DHEIMDAL
-DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1}
-LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lasn1
+CFLAGS+= -DGSSAPI -DKRB5 -DHEIMDAL \
+	-DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1
+DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} \
+	${LIBCOM_ERR} ${LIBROKEN} ${LIBWIND} ${LIBHEIMBASE} ${LIBHEIMIPCC}
+LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lhx509 -lasn1 \
+	-lcom_err -lroken -lwind -lheimbase -lheimipcc
 .endif
 
 .if ${MK_OPENSSH_NONE_CIPHER} != "no"
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
-LDADD+=	-lcrypto -lcrypt
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
-- 
cgit v1.1