diff -r 7db59feec584 crypto/external/bsd/openssh/Makefile.inc --- a/crypto/external/bsd/openssh/Makefile.inc Tue Nov 25 18:49:34 2025 +0000 +++ b/crypto/external/bsd/openssh/Makefile.inc Tue Dec 16 03:50:19 2025 +0000 @@ -52,3 +52,10 @@ LINTFLAGS+= -X 117 # nonportable '>>' on LINTFLAGS+= -X 231 # parameter unused LINTFLAGS+= -X 247 # pointer cast to unrelated type LINTFLAGS+= -X 351 # missing header declaration + +# We install libssh in /usr/lib/private so applications don't +# accidentally link against it. Set LIBSUBDIR so libssh.so.N and +# libssh.so.N.M will be installed there there, and set PROGDPSUBDIRS so +# ssh/sshd/sshd-session/&c. will find it at link-time. +LIBSUBDIR= private +PROGDPSUBDIRS+= private diff -r 7db59feec584 crypto/external/bsd/openssh/lib/Makefile --- a/crypto/external/bsd/openssh/lib/Makefile Tue Nov 25 18:49:34 2025 +0000 +++ b/crypto/external/bsd/openssh/lib/Makefile Tue Dec 16 03:50:19 2025 +0000 @@ -1,5 +1,17 @@ # $NetBSD: Makefile,v 1.44 2025/10/11 15:45:10 christos Exp $ +# libssh is not meant for applications to link against -- it's a +# private library of the ssh/sshd/&c. executables we ship. So don't +# install compat versions (we don't ship ssh/sshd/&c. as compat +# executables, only as native ones) or expose the .so symlink or .a +# static library for applications to link against. +# +# Note that while NOLINKLIB suppresses _installing_ the .so symlink, +# the .so symlink is still created in the objdir so bin/ssh can still +# use it to link. +NOCOMPAT= # defined +NOLINKLIB= # defined + .include .include "../Makefile.inc" diff -r 7db59feec584 distrib/sets/lists/base/mi --- a/distrib/sets/lists/base/mi Tue Nov 25 18:49:34 2025 +0000 +++ b/distrib/sets/lists/base/mi Tue Dec 16 03:50:19 2025 +0000 @@ -1239,6 +1239,7 @@ ./usr/lib/openssl/modules/legacy.so base-crypto-usr compatfile,pic,openssl=30 ./usr/lib/openssl/modules/legacy.so base-crypto-usr compatfile,pic,openssl=35 ./usr/lib/postfix base-postfix-usr +./usr/lib/private base-sys-usr ./usr/lib/runemodule base-obsolete obsolete ./usr/lib/runemodule/libBIG5.a base-obsolete obsolete ./usr/lib/runemodule/libBIG5.so base-obsolete obsolete @@ -1284,6 +1285,7 @@ ./usr/libdata/debug/usr/lib/i18n base-i18n-root compatfile ./usr/libdata/debug/usr/lib/named base-sys-usr compatfile ./usr/libdata/debug/usr/lib/npf base-obsolete obsolete +./usr/libdata/debug/usr/lib/private base-sys-usr compatfile ./usr/libdata/debug/usr/lib/security base-sys-usr compatfile ./usr/libdata/debug/usr/libexec base-sys-usr ./usr/libdata/debug/usr/libexec/ching base-sys-usr diff -r 7db59feec584 distrib/sets/lists/base/shl.mi --- a/distrib/sets/lists/base/shl.mi Tue Nov 25 18:49:34 2025 +0000 +++ b/distrib/sets/lists/base/shl.mi Tue Dec 16 03:50:19 2025 +0000 @@ -895,9 +895,7 @@ ./usr/lib/libsqlite3.so.1 base-sys-shlib compatfile ./usr/lib/libsqlite3.so.1.5 base-sys-shlib compatfile ./usr/lib/libss.so base-obsolete obsolete -./usr/lib/libssh.so base-secsh-shlib compatfile -./usr/lib/libssh.so.50 base-secsh-shlib compatfile -./usr/lib/libssh.so.50.0 base-secsh-shlib compatfile +./usr/lib/libssh.so base-obsolete obsolete ./usr/lib/libssl.so base-crypto-shlib compatfile ./usr/lib/libssl.so.12 base-crypto-shlib compatfile,openssl=10 ./usr/lib/libssl.so.12.0 base-crypto-shlib compatfile,openssl=10 @@ -1003,6 +1001,8 @@ ./usr/lib/nss_mdns.so.0 base-obsolete obsolete ./usr/lib/nss_mdnsd.so.0 base-mdns-shlib mdns ./usr/lib/nss_multicast_dns.so.0 base-mdns-shlib mdns +./usr/lib/private/libssh.so.50 base-secsh-shlib +./usr/lib/private/libssh.so.50.0 base-secsh-shlib ./usr/lib/security/pam_afslog.so.4 base-sys-shlib compatfile,kerberos,pam ./usr/lib/security/pam_chroot.so.4 base-sys-shlib compatfile,pam ./usr/lib/security/pam_deny.so.4 base-sys-shlib compatfile,pam diff -r 7db59feec584 distrib/sets/lists/comp/mi --- a/distrib/sets/lists/comp/mi Tue Nov 25 18:49:34 2025 +0000 +++ b/distrib/sets/lists/comp/mi Tue Dec 16 03:50:19 2025 +0000 @@ -4487,8 +4487,8 @@ ./usr/lib/libsqlite3_p.a comp-c-proflib compatfile,profile ./usr/lib/libss.a comp-obsolete obsolete ./usr/lib/libss_p.a comp-obsolete obsolete -./usr/lib/libssh.a comp-c-lib compatfile -./usr/lib/libssh_p.a comp-c-proflib compatfile,profile +./usr/lib/libssh.a comp-obsolete obsolete +./usr/lib/libssh_p.a comp-obsolete obsolete ./usr/lib/libssl.a comp-c-lib compatfile ./usr/lib/libssl_p.a comp-c-proflib compatfile,profile ./usr/lib/libssp.a comp-obsolete obsolete diff -r 7db59feec584 distrib/sets/lists/comp/shl.mi --- a/distrib/sets/lists/comp/shl.mi Tue Nov 25 18:49:34 2025 +0000 +++ b/distrib/sets/lists/comp/shl.mi Tue Dec 16 03:50:19 2025 +0000 @@ -273,7 +273,7 @@ ./usr/lib/libsl_pic.a comp-c-piclib compatfile,picinstall,kerberos ./usr/lib/libsqlite3_pic.a comp-c-piclib compatfile,picinstall ./usr/lib/libss_pic.a comp-obsolete obsolete -./usr/lib/libssh_pic.a comp-c-piclib compatfile,picinstall +./usr/lib/libssh_pic.a comp-obsolete obsolete ./usr/lib/libssl_pic.a comp-c-piclib compatfile,picinstall ./usr/lib/libssp_pic.a comp-obsolete obsolete ./usr/lib/libstdc++_pic.a comp-cxx-piclib compatfile,picinstall,cxx,gcccmds,libstdcxx diff -r 7db59feec584 distrib/sets/lists/debug/mi --- a/distrib/sets/lists/debug/mi Tue Nov 25 18:49:34 2025 +0000 +++ b/distrib/sets/lists/debug/mi Tue Dec 16 03:50:19 2025 +0000 @@ -256,7 +256,7 @@ ./usr/lib/libsl_g.a comp-c-debuglib debuglib,compatfile,kerberos ./usr/lib/libsqlite3_g.a comp-c-debuglib debuglib,compatfile ./usr/lib/libss_g.a comp-obsolete obsolete,compatfile -./usr/lib/libssh_g.a comp-c-debuglib debuglib,compatfile +./usr/lib/libssh_g.a comp-obsolete obsolete ./usr/lib/libssl_g.a comp-c-debuglib debuglib,compatfile ./usr/lib/libstdc++_g.a comp-c-debuglib debuglib,compatfile,cxx,gcc,libstdcxx ./usr/lib/libsupc++_g.a comp-c-debuglib debuglib,compatfile,cxx,gcc,libstdcxx diff -r 7db59feec584 distrib/sets/lists/debug/shl.mi --- a/distrib/sets/lists/debug/shl.mi Tue Nov 25 18:49:34 2025 +0000 +++ b/distrib/sets/lists/debug/shl.mi Tue Dec 16 03:50:19 2025 +0000 @@ -305,7 +305,6 @@ ./usr/libdata/debug/usr/lib/libskey.so.2.0.debug comp-sys-debug debug,compatfile,skey ./usr/libdata/debug/usr/lib/libsl.so.7.0.debug comp-krb5-debug debug,compatfile,kerberos ./usr/libdata/debug/usr/lib/libsqlite3.so.1.5.debug comp-sys-debug debug,compatfile -./usr/libdata/debug/usr/lib/libssh.so.50.0.debug comp-secsh-debug debug,compatfile ./usr/libdata/debug/usr/lib/libssl.so.12.0.debug comp-crypto-debug debug,compatfile,openssl=10 ./usr/libdata/debug/usr/lib/libssl.so.14.0.debug comp-crypto-debug debug,compatfile,openssl=11 ./usr/libdata/debug/usr/lib/libssl.so.15.0.debug comp-crypto-debug debug,compatfile,openssl=30 @@ -340,6 +339,7 @@ ./usr/libdata/debug/usr/lib/npf/libext_log.so.0.0.debug comp-obsolete debug,compatfile,npf,obsolete ./usr/libdata/debug/usr/lib/npf/libext_normalise.so.0.0.debug comp-obsolete debug,compatfile,npf,obsolete ./usr/libdata/debug/usr/lib/npf/libext_rndblock.so.0.0.debug comp-obsolete debug,compatfile,npf,obsolete +./usr/libdata/debug/usr/lib/private/libssh.so.50.0.debug comp-secsh-debug debug ./usr/libdata/debug/usr/lib/security/pam_afslog.so.4.debug base-sys-debug debug,compatfile,pam ./usr/libdata/debug/usr/lib/security/pam_chroot.so.4.debug base-sys-debug debug,compatfile,pam ./usr/libdata/debug/usr/lib/security/pam_deny.so.4.debug base-sys-debug debug,compatfile,pam diff -r 7db59feec584 etc/mtree/NetBSD.dist.base --- a/etc/mtree/NetBSD.dist.base Tue Nov 25 18:49:34 2025 +0000 +++ b/etc/mtree/NetBSD.dist.base Tue Dec 16 03:50:19 2025 +0000 @@ -360,6 +360,7 @@ ./usr/lib/openssl/modules ./usr/lib/pkgconfig ./usr/lib/postfix +./usr/lib/private ./usr/lib/security ./usr/libdata ./usr/libdata/debug @@ -375,6 +376,7 @@ ./usr/libdata/debug/usr/lib ./usr/libdata/debug/usr/lib/i18n ./usr/libdata/debug/usr/lib/named +./usr/libdata/debug/usr/lib/private ./usr/libdata/debug/usr/lib/security ./usr/libdata/debug/usr/libexec ./usr/libdata/debug/usr/libexec/ching diff -r 7db59feec584 rescue/Makefile --- a/rescue/Makefile Tue Nov 25 18:49:34 2025 +0000 +++ b/rescue/Makefile Tue Dec 16 03:50:19 2025 +0000 @@ -23,6 +23,17 @@ CRUNCHGEN_FLAGS+=-V LDSTATIC="-static" - CRUNCHGEN_FLAGS+=-V NOLIBCSANITIZER= -V NOSANITIZER= -V NOMAN= +# libssh is private, so libssh.a is not installed in DESTDIR, so we +# have to get it out of the objdir. +# +# XXX Should do this differently, and uniformly for all libraries. +.if !defined(LIBDO.ssh) +LIBDO.ssh!= cd ${NETBSDSRCDIR}/crypto/external/bsd/openssh/lib && \ + ${PRINTOBJDIR} +.MAKEOVERRIDES+=LIBDO.ssh +.endif +CRUNCHGEN_FLAGS+=-L ${LIBDO.ssh} + RESCUEDIR= /rescue CRUNCHBIN= rescue CRUNCHENV= RESCUEDIR=${RESCUEDIR} diff -r 7db59feec584 share/mk/bsd.README --- a/share/mk/bsd.README Tue Nov 25 18:49:34 2025 +0000 +++ b/share/mk/bsd.README Tue Dec 16 03:50:19 2025 +0000 @@ -927,6 +927,10 @@ LIBDIR Target directory for libraries. SHLIBINSTALLDIR Target directory for shared libraries if ${USE_SHLIBDIR} is not "no". +LIBSUBDIR If nonempty, subdirectory of LIBDIR where this library + is installed. + Default: Empty. + SHLIB_MAJOR SHLIB_MINOR SHLIB_TEENY Major, minor, and teeny version numbers of shared library @@ -1003,6 +1007,18 @@ PROGDPLIBS A list of the tuples: as well as in parent directories to cache common libraries as a build-time optimization. +LIBDPSUBDIRS/ +PROGDPSUBDIRS/ A list of subdirectory paths _subdir_ for which the + ldflags + + -L${SHLIBDIR}/${_subdir_} + -Wl,-rpath,${SHLIBDIR}/${_subdir_} + + should be added, for libraries or programs that depend + on libraries which are installed in nonstandard + locations like /usr/lib/private. + Default: Empty. + LIB_EXPSYM File listing all symbols expected to be defined by the library. Each line has a single symbol. If the symbol is versioned, it is followed by `@@', if it is the diff -r 7db59feec584 share/mk/bsd.lib.mk --- a/share/mk/bsd.lib.mk Tue Nov 25 18:49:34 2025 +0000 +++ b/share/mk/bsd.lib.mk Tue Dec 16 03:50:19 2025 +0000 @@ -431,11 +431,14 @@ _LIB.so.debug:=${_LIB.so.full}.debug .endif .endif -_DEST.LIB:=${DESTDIR}${LIBDIR} -_DEST.OBJ:=${DESTDIR}${_LIBSODIR} -_DEST.LINT:=${DESTDIR}${LINTLIBDIR} -_DEST.DEBUG:=${DESTDIR}${DEBUGDIR}${LIBDIR} -_DEST.ODEBUG:=${DESTDIR}${DEBUGDIR}${_LIBSODIR} +LIBSUBDIR?= # empty +_LIBSLASHSUBDIR= ${"${LIBSUBDIR}" == "":?:/${LIBSUBDIR}} + +_DEST.LIB:=${DESTDIR}${LIBDIR}${_LIBSLASHSUBDIR} +_DEST.OBJ:=${DESTDIR}${_LIBSODIR}${_LIBSLASHSUBDIR} +_DEST.LINT:=${DESTDIR}${LINTLIBDIR}${_LIBSLASHSUBDIR} +_DEST.DEBUG:=${DESTDIR}${DEBUGDIR}${LIBDIR}${_LIBSLASHSUBDIR} +_DEST.ODEBUG:=${DESTDIR}${DEBUGDIR}${_LIBSODIR}${_LIBSLASHSUBDIR} .if ${MKPIC} == "no" || (defined(LDSTATIC) && ${LDSTATIC} != "") \ || ${MAKELINKLIB} != "no" || ${MAKESTATICLIB} != "no" @@ -591,6 +594,22 @@ _LIBLDOPTS+= -Wl,-x _LIBLDOPTS+= -Wl,-X .endif +# XXX Provisional -- we should get this out of LIBDPLIBS for each +# specific dependency so we can write the directory in one place where +# the library is defined, and not copy and paste it everywhere the +# library is used. +# +# XXX BEWARE: This should only be used by libraries that are private, +# to link against libraries that are private. If you are tempted to +# use this in a library that we expose for applications to link +# against, you need to find another way -- you can't link a library +# against private dependencies without transitively exposing them to +# applications. +.for _subdir_ in ${LIBDPSUBDIRS:U} +_LIBLDOPTS+= -Wl,-rpath,${SHLIBDIR}/${_subdir_} \ + -L=${SHLIBDIR}/${_subdir_} +.endfor + # gcc -shared now adds -lc automatically. For libraries other than libc and # libgcc* we add as a dependency the installed shared libc. For libc and # libgcc* we avoid adding libc as a dependency by using -nostdlib. Note that diff -r 7db59feec584 share/mk/bsd.prog.mk --- a/share/mk/bsd.prog.mk Tue Nov 25 18:49:34 2025 +0000 +++ b/share/mk/bsd.prog.mk Tue Dec 16 03:50:19 2025 +0000 @@ -179,7 +179,6 @@ _LIBLIST=\ skey \ sl \ sqlite3 \ - ssh \ ssl \ stdc++ \ supc++ \ @@ -222,8 +221,13 @@ LIBLDAP_DPADD+= ${LIBLDAP} ${LIBLBER} ${ # PAM applications, if linked statically, need more libraries .if (${MKPIC} == "no") -PAM_STATIC_LDADD+= -lssh -PAM_STATIC_DPADD+= ${LIBSSH} +. if !defined(LIBDO.ssh) # XXX use PROGDPLIBS instead +LIBDO.ssh!= cd ${NETBSDSRCDIR:Q}/crypto/external/bsd/openssh/lib && \ + ${PRINTOBJDIR} +.MAKEOVERRIDES+=LIBDO.ssh +. endif +PAM_STATIC_LDADD+= -L${LIBDO.ssh} -lssh +PAM_STATIC_DPADD+= ${LIBDO.ssh}/libssh.a .if (${MKKERBEROS} != "no") PAM_STATIC_LDADD+= -lkafs -lkrb5 -lhx509 -lwind -lasn1 \ -lroken -lcom_err -lheimbase -lcrypto -lsqlite3 -lm @@ -289,6 +293,15 @@ _PROGLDOPTS+= -Wl,-rpath-link,${DESTDIR} -L=${SHLIBINSTALLDIR} .endif +# XXX Provisional -- we should get this out of PROGDPLIBS for each +# specific dependency so we can write the directory in one place where +# the library is defined, and not copy and paste it everywhere the +# library is used. +.for _subdir_ in ${PROGDPSUBDIRS:U} +_PROGLDOPTS+= -Wl,-rpath,${SHLIBDIR}/${_subdir_} \ + -L=${SHLIBDIR}/${_subdir_} +.endfor + __proginstall: .USE ${_MKTARGET_INSTALL} ${INSTALL_FILE} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ diff -r 7db59feec584 usr.bin/crunch/crunchgen/crunchgen.c --- a/usr.bin/crunch/crunchgen/crunchgen.c Tue Nov 25 18:49:34 2025 +0000 +++ b/usr.bin/crunch/crunchgen/crunchgen.c Tue Dec 16 03:50:19 2025 +0000 @@ -103,7 +103,7 @@ static char outmkname[MAXPATHLEN], outcf static char cachename[MAXPATHLEN], curfilename[MAXPATHLEN]; static char curdir[MAXPATHLEN]; static char topdir[MAXPATHLEN]; -static char libdir[MAXPATHLEN] = "/usr/lib"; +static strlst_t *libdirs = NULL; static int linenum = -1; static int goterror = 0; @@ -177,7 +177,7 @@ main(int argc, char **argv) case 'e': (void)estrlcpy(execfname, optarg, sizeof(execfname)); break; case 'D': (void)estrlcpy(topdir, optarg, sizeof(topdir)); break; - case 'L': (void)estrlcpy(libdir, optarg, sizeof(libdir)); break; + case 'L': add_string(&libdirs, optarg); break; case 'v': add_string(&vars, optarg); break; case 'V': addvar(optarg); break; @@ -959,6 +959,7 @@ top_makefile_rules(FILE *outmk) { prog_t *p; var_t *v; + strlst_t *libdir; for (v = mvars; v != NULL; v = v->next) { fprintf(outmk, "%s=%s\n", v->name, v->value); @@ -977,6 +978,8 @@ top_makefile_rules(FILE *outmk) fprintf(outmk, " %s.cro", p->name); fprintf(outmk, "\n"); fprintf(outmk, "DPADD+= ${CRUNCHED_OBJS}\n"); + for (libdir = libdirs; libdir != NULL; libdir = libdir->next) + fprintf(outmk, "LDADD+= -L%s\n", libdir->str); fprintf(outmk, "LDADD+= ${CRUNCHED_OBJS} "); output_strlst(outmk, libs); fprintf(outmk, "CRUNCHEDOBJSDIRS="); diff -r 7db59feec584 usr.sbin/wg-keygen/Makefile --- a/usr.sbin/wg-keygen/Makefile Tue Nov 25 18:49:34 2025 +0000 +++ b/usr.sbin/wg-keygen/Makefile Tue Dec 16 03:50:19 2025 +0000 @@ -3,7 +3,6 @@ PROG= wg-keygen MAN= wg-keygen.8 -DPADD+= ${LIBSSH} -LDADD+= -lssh +PROGDPLIBS+= ssh ${NETBSDSRCDIR}/crypto/external/bsd/openssh/lib .include