openssh unix dev - Jul 2022 - Don't link sftp, sftp-server or scp with libcrypto

Hi.

This applies on top of my previous patch cleaning up libcrypt and stops
linking scp, sftp and sftp-server against libcrypto.  Why do this?
Well for one reason these components sometimes get used independently
of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
it'd be nice if I could have sftp on space constrained devices without
the currently-required but not strictly necessary additional libraries.

The same thing can be done with zlib but that's the next patch.

diff --git a/Makefile.in b/Makefile.in
index 3c285682..338976c8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -49,6 +49,7 @@ CFLAGS_NOPIE=@CFLAGS_NOPIE@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 PICFLAG=@PICFLAG@
 LIBS=@LIBS@
+CRYPTOLIBS=@CRYPTOLIBS@
 K5LIBS=@K5LIBS@
 GSSLIBS=@GSSLIBS@
 SSHDLIBS=@SSHDLIBS@
@@ -208,34 +209,34 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS)
+	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
$(GSSLIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
$(GSSLIBS) $(K5LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
$(CRYPTOLIBS) $(GSSLIBS) $(K5LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
-	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(CRYPTOLIBS)
 
 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
-	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(CRYPTOLIBS)
 
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
-	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(CRYPTOLIBS)
 
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
-	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(CRYPTOLIBS)
 
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
-	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
 
 ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
-	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lopenbsd-compat $(LIBS) $(LIBFIDO2)
+	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(LIBFIDO2)
 
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
-	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
$(CRYPTOLIBS)
 
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
 	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
diff --git a/configure.ac b/configure.ac
index 7bb1d711..9a18e8dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2696,8 +2696,11 @@ AC_ARG_WITH([ssl-engine],
 	]
 )
 
+CRYPTOLIBS=""
+nocrypto_saved_LIBS="$LIBS"
 if test "x$openssl" = "xyes" ; then
-	LIBS="-lcrypto $LIBS"
+	CRYPTOLIBS="-lcrypto"
+	LIBS="$CRYPTOLIBS $LIBS"
 	AC_TRY_LINK_FUNC([RAND_add], ,
 	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
 	AC_CHECK_HEADER([openssl/opensslv.h], ,
@@ -2860,7 +2863,6 @@ if test "x$openssl" = "xyes" ; then
 		],
 		[
 			AC_MSG_RESULT([no])
-			saved_LIBS="$LIBS"
 			LIBS="$LIBS -ldl"
 			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
 			AC_LINK_IFELSE(
@@ -2868,10 +2870,10 @@ if test "x$openssl" = "xyes" ; then
 				[[ ERR_load_crypto_strings(); ]])],
 				[
 					AC_MSG_RESULT([yes])
+					CRYPTOLIBS="$CRYPTOLIBS -ldl"
 				],
 				[
 					AC_MSG_RESULT([no])
-					LIBS="$saved_LIBS"
 				]
 			)
 		]
@@ -3263,25 +3265,6 @@ AC_CHECK_FUNCS([ \
 	arc4random_uniform \
 ])
 
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([iaf], [ia_openinfo], [
-	LIBS="$LIBS -liaf"
-	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
-				AC_DEFINE([HAVE_LIBIAF], [1],
-			[Define if system has libiaf that supports set_id])
-				])
-])
-LIBS="$saved_LIBS"
-
-# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([crypt], [crypt], [
-	LIBS="-lcrypt $LIBS"
-	SSHDLIBS="-lcrypt $SSHDLIBS"
-])
-AC_CHECK_FUNCS([crypt])
-LIBS="$saved_LIBS"
-
 ### Configure cryptographic random number support
 
 # Check whether OpenSSL seeds itself
@@ -3310,6 +3293,8 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 fi
+LIBS="$nocrypto_saved_LIBS"
+AC_SUBST([CRYPTOLIBS])
 
 # PRNGD TCP socket
 AC_ARG_WITH([prngd-port],
@@ -3399,6 +3384,24 @@ else
 	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure
OpenSSL with an entropy source or re-run configure using one of the
--with-prngd-port or --with-prngd-socket options])
 fi
 
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([iaf], [ia_openinfo], [
+	LIBS="$LIBS -liaf"
+	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
+				AC_DEFINE([HAVE_LIBIAF], [1],
+			[Define if system has libiaf that supports set_id])
+				])
+])
+
+# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+	LIBS="-lcrypt $LIBS"
+	SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
+
 # Check for PAM libs
 PAM_MSG="no"
 AC_ARG_WITH([pam],
@@ -5635,6 +5638,9 @@ echo "    Compiler flags: ${CFLAGS}"
 echo "Preprocessor flags: ${CPPFLAGS}"
 echo "      Linker flags: ${LDFLAGS}"
 echo "         Libraries: ${LIBS}"
+if test ! -z "${CRYPTOLIBS}"; then
+echo "           +crypto: ${CRYPTOLIBS}"
+fi
 if test ! -z "${SSHDLIBS}"; then
 echo "         +for sshd: ${SSHDLIBS}"
 fi
diff --git a/scp.c b/scp.c
index da07e64e..f9ca5d39 100644
--- a/scp.c
+++ b/scp.c
@@ -455,8 +455,6 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 
-	seed_rng();
-
 	msetlocale();
 
 	/* Copy argv, because we modify it */
diff --git a/sftp-server-main.c b/sftp-server-main.c
index 06566d36..2c70f89b 100644
--- a/sftp-server-main.c
+++ b/sftp-server-main.c
@@ -42,8 +42,6 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 
-	seed_rng();
-
 	if ((user_pw = getpwuid(getuid())) == NULL) {
 		fprintf(stderr, "No user found for uid %lu\n",
 		    (u_long)getuid());
diff --git a/sftp.c b/sftp.c
index c880f166..939b8dc0 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2406,8 +2406,6 @@ main(int argc, char **argv)
 	sanitise_stdfd();
 	msetlocale();
 
-	seed_rng();
-
 	__progname = ssh_get_progname(argv[0]);
 	memset(&args, '\0', sizeof(args));
 	args.list = NULL;
-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Tue, 12 Jul 2022, Darren Tucker wrote:
> Hi.
> 
> This applies on top of my previous patch cleaning up libcrypt and stops
> linking scp, sftp and sftp-server against libcrypto.  Why do this?
> Well for one reason these components sometimes get used independently
> of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
> it'd be nice if I could have sftp on space constrained devices without
> the currently-required but not strictly necessary additional libraries.
> 
> The same thing can be done with zlib but that's the next patch.
IIRC we linked libcrypto because some linkers were not smart enough to
elide references to libcrypto coming from unused functions in libssh

It's possible that I'm wrong/outdated though