Don't link sftp, sftp-server or scp with libcrypto

Darren Tucker dtucker at dtucker.net
Fri Jul 22 13:44:38 AEST 2022


On Wed, 13 Jul 2022 at 14:56, Damien Miller <djm at mindrot.org> wrote:
> On Tue, 12 Jul 2022, Darren Tucker wrote:
> > This applies on top of my previous patch cleaning up libcrypt and stops
> > linking scp, sftp and sftp-server against libcrypto.
[...]
> IIRC we linked libcrypto because some linkers were not smart enough to
> elide references to libcrypto coming from unused functions in libssh
> It's possible that I'm wrong/outdated though

Having done some experimentation I now think our understanding of that
was wrong.

Instead, I think the differentiating factor was whether or not the
platform depended on OpenSSL for getrandom and/or arc4random.  scp,
sftp and sftp-server call seed_rng() even though they don't actually
use the RNG, and in doing so pull in dependencies on libcrypto via
entropy.c and port-prngd.c.

After removing those, this seems to work on all of the platforms in
the test zoo (at least so far, the tests are still running on the
slower ones) and the resulting binaries do not need to link libcrypto
or libz against the scp, sftp and sftp-server binaries.
https://github.com/openssh/openssh-portable/compare/master...daztucker:openssh-portable:master

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list