- Remove compatibiliy for FreeBSD <4.x

  * /var/empty has been in hier(7) since 4.x
  * User sshd has been in base since 4.x
  * Simplify a patch for realhostname_sa(3) usage
- Remove SUID_SSH - It was removed from ssh in 2002
- Fix 'make test'
- Add some hints into the patches on where they came from
- Mirror all patches
- Move LPK patch out of files/
- Remove the need for 2 patches
  * Removal of 'host-key check-config' in install phase
  * Adding -lutil
- Add SCTP support [1]
- Remove FILECONTROL as it has not been supported since the 5.8
  update
- Replace tab with space pkg-descr
- Remove default WRKSRC
- Add 'configtest' command to rc script
- Mark X509 broken with other patches due to PATCH_DIST_STRIP=-p1

PR:		ports/174570 [1]
Submitted by:	oleg <proler@gmail.com> [1]
Obtained from:	https://bugzilla.mindrot.org/show_bug.cgi?id=2016 (upstream) [1]
Feature safe:	yes

1 files changed, 42 insertions, 44 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 64e44e564faf..2c480aacd667 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -13,8 +13,6 @@ PKGNAMESUFFIX=	-portable
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 
-WRKSRC=		${WRKDIR}/${PORTNAME}-${DISTVERSION}
-
 MAN1=	sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1
 MLINKS=	ssh.1 slogin.1
 MAN5=	moduli.5 ssh_config.5 sshd_config.5
@@ -22,7 +20,12 @@ MAN8=	sftp-server.8 sshd.8 ssh-keysign.8 ssh-pkcs11-helper.8
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.*
 
+# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here.
+PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/ \
+			http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex
+
 USE_PERL5_BUILD=	yes
+USE_AUTOTOOLS=		autoconf autoheader
 USE_OPENSSL=		yes
 GNU_CONFIGURE=		yes
 CONFIGURE_ENV=		ac_cv_func_strnvis=no
@@ -36,37 +39,46 @@ ETCOLD=			${PREFIX}/etc
 SUDO?=		# empty
 MAKE_ENV+=	SUDO="${SUDO}"
 
-OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT SUID_SSH BSM KERBEROS \
-			KERB_GSSAPI OPENSSH_CHROOT HPN LPK X509 FILECONTROL \
-			OVERWRITE_BASE
+OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM KERBEROS \
+			KERB_GSSAPI OPENSSH_CHROOT HPN LPK X509 \
+			OVERWRITE_BASE SCTP
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS
 TCP_WRAPPERS_DESC=	Enable tcp_wrappers support
-SUID_SSH_DESC=		Enable suid SSH (Recommended off)
 BSM_DESC=		Enable OpenBSM Auditing
 KERB_GSSAPI_DESC=	Enable Kerberos/GSSAPI patch (req: GSSAPI)
 OPENSSH_CHROOT_DESC=	Enable CHROOT support
 HPN_DESC=		Enable HPN-SSH patch
 LPK_DESC=		Enable LDAP Public Key (LPK) patch
 X509_DESC=		Enable x509 certificate patch
-FILECONTROL_DESC=	Enable file control patch (broken)
+SCTP_DESC=		Enable SCTP support
 OVERWRITE_BASE_DESC=	OpenSSH overwrite base
 
 .include <bsd.port.pre.mk>
 
 .if ${OSVERSION} >= 900000
-EXTRA_PATCHES=	${FILESDIR}/extra-patch-configure
+CONFIGURE_LIBS+=	-lutil
 .endif
 
 .if ${OSVERSION} >= 900007
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 .endif
 
-.if ${PORT_OPTIONS:MX509} && ${PORT_OPTIONS:MHPN}
-BROKEN=		X509 patches and HPN patches do not apply cleanly together
-.endif
+.if ${PORT_OPTIONS:MX509}
+.  if ${PORT_OPTIONS:MHPN}
+BROKEN=		X509 patch and HPN patch do not apply cleanly together
+.  endif
 
-.if ${PORT_OPTIONS:MX509} && ${PORT_OPTIONS:MKERB_GSSAPI}
+.  if ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
+.  endif
+
+.  if ${PORT_OPTIONS:MSCTP}
+BROKEN=		X509 patch and SCTP patch do not apply cleanly together
+.  endif
+
+.  if ${PORT_OPTIONS:MLPK}
+BROKEN=		X509 patch and LPK patch do not apply cleanly together
+.  endif
 .endif
 
 .if defined(OPENSSH_OVERWRITE_BASE)
@@ -85,10 +97,6 @@ CONFIGURE_ARGS+=	--with-tcp-wrappers
 CONFIGURE_ARGS+=	--with-libedit
 .endif
 
-.if !${PORT_OPTIONS:MSUID_SSH}
-CONFIGURE_ARGS+=	--disable-suid-ssh
-.endif
-
 .if ${PORT_OPTIONS:MBSM}
 CONFIGURE_ARGS+=	--with-audit=bsm
 .endif
@@ -97,8 +105,8 @@ CONFIGURE_ARGS+=	--with-audit=bsm
 CONFIGURE_ARGS+=	--with-kerberos5
 LIB_DEPENDS+=		krb5.3:${PORTSDIR}/security/krb5
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/
-PATCHFILES+=		openssh-5.7p1-gsskex-all-20110125.patch
+PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/:gsskex
+PATCHFILES+=		openssh-5.7p1-gsskex-all-20110125.patch:gsskex
 PATCH_DIST_STRIP=
 .endif
 .if ${OPENSSLBASE} == "/usr"
@@ -115,8 +123,8 @@ CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 CFLAGS+=		-DCHROOT
 .endif
 
+# http://www.psc.edu/index.php/hpn-ssh
 .if ${PORT_OPTIONS:MHPN}
-PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/
 PATCHFILES+=		${PORTNAME}-5.8p1-hpn13v11.diff.gz
 PATCH_DIST_STRIP=
 .endif
@@ -125,19 +133,19 @@ PATCH_DIST_STRIP=
 # and svn repo described here:
 # http://code.google.com/p/openssh-lpk/source/checkout
 .if ${PORT_OPTIONS:MLPK}
-EXTRA_PATCHES+=		${FILESDIR}/openssh-lpk-5.8p2.patch
+PATCHFILES+=		${PORTNAME}-lpk-5.8p2.patch.gz
 USE_OPENLDAP=		yes
 CPPFLAGS+=		-I${LOCALBASE}/include
 CONFIGURE_ARGS+=	--with-ldap=yes \
-			--with-libs='-lldap' \
 			--with-ldflags='-L${LOCALBASE}/lib' \
 			--with-cppflags='${CPPFLAGS}'
+CONFIGURE_LIBS+=	-lldap
 .endif
 
 # See http://www.roumenpetrov.info/openssh/
 .if ${PORT_OPTIONS:MX509}
-PATCH_SITES+=		http://www.roumenpetrov.info/openssh/x509-7.0/
-PATCHFILES+=		${PORTNAME}-5.8p1+x509-7.0.diff.gz
+PATCH_SITES+=		http://www.roumenpetrov.info/openssh/x509-7.0/:x509
+PATCHFILES+=		${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509
 PATCH_DIST_STRIP=	-p1
 PLIST_SUB+=		X509=""
 MAN5+=			ssh_engine.5
@@ -145,33 +153,24 @@ MAN5+=			ssh_engine.5
 PLIST_SUB+=		X509="@comment "
 .endif
 
-# See http://sftpfilecontrol.sourceforge.net/
-.if ${PORT_OPTIONS:MFILECONTROL}
-# Latest sftpfilecontrol patch is against 5.4p1 which does not apply
-# cleanly against 5.8p2, but it's close.
-BROKEN=			latest upstream sftp file control public key patch is not up to date for OpenSSH 5.8p2
-EXTRA_PATCHES+=		${FILESDIR}/openssh-${DISTVERSION}.sftpfilecontrol-v1.3.patch
+# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
+.if ${PORT_OPTIONS:MSCTP}
+PATCHFILES+=		${PORTNAME}-sctp-2163.patch.gz
+CONFIGURE_ARGS+=	--with-sctp
 .endif
 
+EMPTYDIR=		/var/empty
+
 .if ${PORT_OPTIONS:MOVERWRITE_BASE}
 WITH_OPENSSL_BASE=	yes
 CONFIGURE_ARGS+=	--localstatedir=/var
-EMPTYDIR=		/var/empty
 PREFIX=			/usr
 ETCSSH=			/etc/ssh
 USE_RCORDER=		openssh
 PLIST_SUB+=		NOTBASE="@comment "
 PLIST_SUB+=		BASE=""
 PLIST_SUB+=		BASEPREFIX="${PREFIX}"
-PLIST_SUB+=		ERASEEMPTY="@comment "
 .else
-.if exists(/var/empty)
-EMPTYDIR=		/var/empty
-PLIST_SUB+=		ERASEEMPTY="@comment "
-.else
-EMPTYDIR=		${PREFIX}/empty
-PLIST_SUB+=		ERASEEMPTY=""
-.endif
 ETCSSH=			${PREFIX}/etc/ssh
 USE_RC_SUBR=		openssh
 PLIST_SUB+=		NOTBASE=""
@@ -180,13 +179,16 @@ PLIST_SUB+=		BASE="@comment "
 
 # After all
 SUB_LIST+=		ETCSSH="${ETCSSH}"
-PLIST_SUB+=		EMPTYDIR="${EMPTYDIR}"
 CONFIGURE_ARGS+=	--sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
+.if !empty(CONFIGURE_LIBS)
+CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
+.endif
 
 RC_SCRIPT_NAME=		openssh
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
+	@${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
 	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
@@ -203,10 +205,6 @@ post-patch:
 .endif
 
 pre-su-install:
-	@${MKDIR} ${EMPTYDIR}
-	if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi
-	if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \
-		-h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi
 .if !exists(${ETCSSH})
 	@${MKDIR} ${ETCSSH}
 .endif
@@ -224,7 +222,7 @@ post-install:
 	@${CAT} ${PKGMESSAGE}
 
 test:	build
-	(cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} TEST_SHELL=/bin/sh \
+	(cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS})