Mailing List Archive

Don't link sftp, sftp-server or scp with libcrypto
Hi.

This applies on top of my previous patch cleaning up libcrypt and stops
linking scp, sftp and sftp-server against libcrypto. Why do this?
Well for one reason these components sometimes get used independently
of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
it'd be nice if I could have sftp on space constrained devices without
the currently-required but not strictly necessary additional libraries.

The same thing can be done with zlib but that's the next patch.

diff --git a/Makefile.in b/Makefile.in
index 3c285682..338976c8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -49,6 +49,7 @@ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
PICFLAG=@PICFLAG@
LIBS=@LIBS@
+CRYPTOLIBS=@CRYPTOLIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHDLIBS=@SSHDLIBS@
@@ -208,34 +209,34 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@

ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(GSSLIBS)

sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CRYPTOLIBS) $(GSSLIBS) $(K5LIBS)

scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)

ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)

ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)

ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)

ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
- $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)

ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(LIBFIDO2)

ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CRYPTOLIBS)

sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
diff --git a/configure.ac b/configure.ac
index 7bb1d711..9a18e8dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2696,8 +2696,11 @@ AC_ARG_WITH([ssl-engine],
]
)

+CRYPTOLIBS=""
+nocrypto_saved_LIBS="$LIBS"
if test "x$openssl" = "xyes" ; then
- LIBS="-lcrypto $LIBS"
+ CRYPTOLIBS="-lcrypto"
+ LIBS="$CRYPTOLIBS $LIBS"
AC_TRY_LINK_FUNC([RAND_add], ,
[AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
AC_CHECK_HEADER([openssl/opensslv.h], ,
@@ -2860,7 +2863,6 @@ if test "x$openssl" = "xyes" ; then
],
[
AC_MSG_RESULT([no])
- saved_LIBS="$LIBS"
LIBS="$LIBS -ldl"
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
AC_LINK_IFELSE(
@@ -2868,10 +2870,10 @@ if test "x$openssl" = "xyes" ; then
[[ ERR_load_crypto_strings(); ]])],
[
AC_MSG_RESULT([yes])
+ CRYPTOLIBS="$CRYPTOLIBS -ldl"
],
[
AC_MSG_RESULT([no])
- LIBS="$saved_LIBS"
]
)
]
@@ -3263,25 +3265,6 @@ AC_CHECK_FUNCS([ \
arc4random_uniform \
])

-saved_LIBS="$LIBS"
-AC_CHECK_LIB([iaf], [ia_openinfo], [
- LIBS="$LIBS -liaf"
- AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
- AC_DEFINE([HAVE_LIBIAF], [1],
- [Define if system has libiaf that supports set_id])
- ])
-])
-LIBS="$saved_LIBS"
-
-# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([crypt], [crypt], [
- LIBS="-lcrypt $LIBS"
- SSHDLIBS="-lcrypt $SSHDLIBS"
-])
-AC_CHECK_FUNCS([crypt])
-LIBS="$saved_LIBS"
-
### Configure cryptographic random number support

# Check whether OpenSSL seeds itself
@@ -3310,6 +3293,8 @@ if test "x$openssl" = "xyes" ; then
]
)
fi
+LIBS="$nocrypto_saved_LIBS"
+AC_SUBST([CRYPTOLIBS])

# PRNGD TCP socket
AC_ARG_WITH([prngd-port],
@@ -3399,6 +3384,24 @@ else
AC_MSG_ERROR([.OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
fi

+saved_LIBS="$LIBS"
+AC_CHECK_LIB([iaf], [ia_openinfo], [
+ LIBS="$LIBS -liaf"
+ AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
+ AC_DEFINE([HAVE_LIBIAF], [1],
+ [Define if system has libiaf that supports set_id])
+ ])
+])
+
+# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+ LIBS="-lcrypt $LIBS"
+ SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
+
# Check for PAM libs
PAM_MSG="no"
AC_ARG_WITH([pam],
@@ -5635,6 +5638,9 @@ echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
echo " Libraries: ${LIBS}"
+if test ! -z "${CRYPTOLIBS}"; then
+echo " +crypto: ${CRYPTOLIBS}"
+fi
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
diff --git a/scp.c b/scp.c
index da07e64e..f9ca5d39 100644
--- a/scp.c
+++ b/scp.c
@@ -455,8 +455,6 @@ main(int argc, char **argv)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

- seed_rng();
-
msetlocale();

/* Copy argv, because we modify it */
diff --git a/sftp-server-main.c b/sftp-server-main.c
index 06566d36..2c70f89b 100644
--- a/sftp-server-main.c
+++ b/sftp-server-main.c
@@ -42,8 +42,6 @@ main(int argc, char **argv)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

- seed_rng();
-
if ((user_pw = getpwuid(getuid())) == NULL) {
fprintf(stderr, "No user found for uid %lu\n",
(u_long)getuid());
diff --git a/sftp.c b/sftp.c
index c880f166..939b8dc0 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2406,8 +2406,6 @@ main(int argc, char **argv)
sanitise_stdfd();
msetlocale();

- seed_rng();
-
__progname = ssh_get_progname(argv[0]);
memset(&args, '\0', sizeof(args));
args.list = NULL;
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Don't link sftp, sftp-server or scp with libcrypto [ In reply to ]
On Tue, 12 Jul 2022, Darren Tucker wrote:

> Hi.
>
> This applies on top of my previous patch cleaning up libcrypt and stops
> linking scp, sftp and sftp-server against libcrypto. Why do this?
> Well for one reason these components sometimes get used independently
> of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
> it'd be nice if I could have sftp on space constrained devices without
> the currently-required but not strictly necessary additional libraries.
>
> The same thing can be done with zlib but that's the next patch.

IIRC we linked libcrypto because some linkers were not smart enough to
elide references to libcrypto coming from unused functions in libssh

It's possible that I'm wrong/outdated though
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Don't link sftp, sftp-server or scp with libcrypto [ In reply to ]
On 7/13/22 00:56, Damien Miller wrote:
> On Tue, 12 Jul 2022, Darren Tucker wrote:
>
>> Hi.
>>
>> This applies on top of my previous patch cleaning up libcrypt and stops
>> linking scp, sftp and sftp-server against libcrypto. Why do this?
>> Well for one reason these components sometimes get used independently
>> of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
>> it'd be nice if I could have sftp on space constrained devices without
>> the currently-required but not strictly necessary additional libraries.
>>
>> The same thing can be done with zlib but that's the next patch.
>
> IIRC we linked libcrypto because some linkers were not smart enough to
> elide references to libcrypto coming from unused functions in libssh
>
> It's possible that I'm wrong/outdated though

That reminds me: is there any chance that OpenSSH’s SSH client
code could be made into a library that other code could use as well?
Having to spawn a child process is a bit annoying, and I would like
to be able to use all of ssh(1)’s features.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Re: Don't link sftp, sftp-server or scp with libcrypto [ In reply to ]
On Wed, 13 Jul 2022 at 14:56, Damien Miller <djm@mindrot.org> wrote:
> On Tue, 12 Jul 2022, Darren Tucker wrote:
> > This applies on top of my previous patch cleaning up libcrypt and stops
> > linking scp, sftp and sftp-server against libcrypto.
[...]
> IIRC we linked libcrypto because some linkers were not smart enough to
> elide references to libcrypto coming from unused functions in libssh
> It's possible that I'm wrong/outdated though

Having done some experimentation I now think our understanding of that
was wrong.

Instead, I think the differentiating factor was whether or not the
platform depended on OpenSSL for getrandom and/or arc4random. scp,
sftp and sftp-server call seed_rng() even though they don't actually
use the RNG, and in doing so pull in dependencies on libcrypto via
entropy.c and port-prngd.c.

After removing those, this seems to work on all of the platforms in
the test zoo (at least so far, the tests are still running on the
slower ones) and the resulting binaries do not need to link libcrypto
or libz against the scp, sftp and sftp-server binaries.
https://github.com/openssh/openssh-portable/compare/master...daztucker:openssh-portable:master

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Don't link sftp, sftp-server or scp with libcrypto [ In reply to ]
On Wed, 13 Jul 2022 at 18:04, Demi Marie Obenour <demiobenour@gmail.com> wrote:
[...]
> That reminds me: is there any chance that OpenSSH’s SSH client
> code could be made into a library that other code could use as well?
> Having to spawn a child process is a bit annoying, and I would like
> to be able to use all of ssh(1)’s features.

There's a libssh.a built as part of the build process but making it
externally consumable with a stable API/ABI is not a goal. There are
other projects which do have that goal (eg libssh and libssh2, both of
which seem to be actively maintained).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Don't link sftp, sftp-server or scp with libcrypto [ In reply to ]
On 7/22/22 00:00, Darren Tucker wrote:
> On Wed, 13 Jul 2022 at 18:04, Demi Marie Obenour <demiobenour@gmail.com> wrote:
> [...]
>> That reminds me: is there any chance that OpenSSH’s SSH client
>> code could be made into a library that other code could use as well?
>> Having to spawn a child process is a bit annoying, and I would like
>> to be able to use all of ssh(1)’s features.
>
> There's a libssh.a built as part of the build process but making it
> externally consumable with a stable API/ABI is not a goal. There are
> other projects which do have that goal (eg libssh and libssh2, both of
> which seem to be actively maintained).

That is a valid decision. libssh2 has a somewhat underwhelming
security track-record, but libssh seems to be quite good.

I do wish there was a library for ssh-keygen -Y signing and
verification. Right now Git has to spawn a subprocess and parse its
output, which is less than great.
--
Sincerely,
Demi Marie Obenour (she/her/hers)