securty/bro: Modernize options, remove Ports SSL option, support LibreSSL

The "build with Ports SSL" option is no longer valid.  The SSL library is
selected through the SSL_DEFAULT value.  While removing the PORTS_SSL
option, modernize the entire set of options under the general
infrastructure blanket.  The SSL work, including the support for LibreSSL
was done under the SSL blanket.

3 files changed, 59 insertions, 81 deletions

diff --git a/security/bro/Makefile b/security/bro/Makefile
index 32228078804f..4cfac9f2cd3a 100644
--- a/security/bro/Makefile
+++ b/security/bro/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	bro
 PORTVERSION=	2.4.1
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	http://www.bro.org/downloads/release/
 
@@ -17,7 +18,7 @@ BUILD_DEPENDS=	${LOCALBASE}/bin/bison:devel/bison \
 		${LOCALBASE}/bin/swig:devel/swig13
 LIB_DEPENDS=	libGeoIP.so:net/GeoIP
 
-USES=		cmake:outsource compiler:c++11-lang perl5 python
+USES=		cmake:outsource compiler:c++11-lang perl5 python ssl
 
 CMAKE_ARGS+=	-D PYTHON_EXECUTABLE:PATH=${PYTHON_CMD}
 CXXFLAGS+=	-std=c++11 -Wextra -Wall -pedantic
@@ -41,7 +42,8 @@ CMAKE_ARGS+=	-D CMAKE_INSTALL_PREFIX:PATH=${PREFIX} \
 		-D ENABLE_PERFTOOLS_DEBUG:BOOL=false \
 		-D BinPAC_SKIP_INSTALL:BOOL=true \
 		-D INSTALL_AUX_TOOLS:BOOL=true \
-		-D BUILD_SHARED_LIBS:BOOL=true
+		-D BUILD_SHARED_LIBS:BOOL=true \
+		-D CMAKE_EXE_LINKER_FLAGS="${OPENSSL_LDFLAGS}"
 
 BROUSER?=	bro
 BROGROUP?=	bro
@@ -51,100 +53,48 @@ PLIST_SUB+=	BROUSER=${BROUSER} \
 USERS=		${BROUSER}
 GROUPS=		${BROGROUP}
 
-USE_OPENSSL=	yes
-
-OPTIONS_DEFINE= BROCCOLI BROCTL BROKER DEBUG IPSUMDUMP LBL_CF LBL_HF PERFTOOLS PORTS_SSL
-OPTIONS_DEFAULT=BROCCOLI BROCTL IPSUMDUMP LBL_CF LBL_HF PORTS_SSL
+OPTIONS_DEFINE= BROCCOLI BROCTL BROKER DEBUG IPSUMDUMP LBL_CF LBL_HF PERFTOOLS
+OPTIONS_DEFAULT=BROCCOLI BROCTL IPSUMDUMP LBL_CF LBL_HF
+OPTIONS_SUB=	yes
 
 BROCCOLI_DESC=	Build support for libbroccoli communications
-BROCTL_DESC=	Build BroControl support (requires BROCCOLI)
+BROCTL_DESC=	BroControl support (implies BROCCOLI and IPSUMDUMP)
 BROKER_DESC=	Enable the Broker communication library
 DEBUG_DESC=	Compile in debugging mode
 IPSUMDUMP_DESC=	Enables traffic summaries
 LBL_CF_DESC=	Unix time to formated time/date filter support
 LBL_HF_DESC=	Address to hostname filter support
 PERFTOOLS_DESC=	Use Perftools to improve memory & CPU usage
-PORTS_SSL_DESC=	Build with OpenSSL from ports (instead of base system)
-
-OPTIONS_EXCLUDE=NLS DOCS
-
-PORTS_SSL_VARS=	WITH_OPENSSL_PORT=yes
-
-.include <bsd.port.pre.mk>
 
-.if ${PORT_OPTIONS:MBROCCOLI}
-LIB_DEPENDS+=	libbroccoli.so:security/broccoli
-.endif
-
-.if ${PORT_OPTIONS:MBROCTL}
-.if empty(PORT_OPTIONS:MBROCCOLI)
-IGNORE=		the BROCTL option requires BROCCOLI
-.endif
-.if empty(PORT_OPTIONS:MIPSUMDUMP)
-IGNORE=		the BROCTL option requires IPSUMDUMP
-.endif
-BUILD_DEPENDS+=	${LOCALBASE}/bin/bash:shells/bash \
-		${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3
-RUN_DEPENDS+=	${LOCALBASE}/bin/bash:shells/bash \
-		${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3
-PLIST_SUB+=	BROCTL=""
-USE_LDCONFIG=	yes
-CMAKE_ARGS+=	-D INSTALL_BROCTL:BOOL=true
-.else
-CMAKE_ARGS+=	-D INSTALL_BROCTL:BOOL=false
-PLIST_SUB+=	BROCTL="@comment "
-.endif
+BROCTL_IMPLIES=		BROCCOLI IPSUMDUMP
+
+BROCCOLI_LIB_DEPENDS=	libbroccoli.so:security/broccoli
+BROCTL_BUILD_DEPENDS=	${LOCALBASE}/bin/bash:shells/bash \
+			${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3
+BROCTL_RUN_DEPENDS=	${LOCALBASE}/bin/bash:shells/bash \
+			${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3
+BROCTL_CMAKE_BOOL=	INSTALL_BROCTL
+BROCTL_USE=		LDCONFIG=yes
+IPSUMDUMP_BUILD_DEPENDS=ipsumdump:net/ipsumdump
+IPSUMDUMP_RUN_DEPENDS=	ipsumdump:net/ipsumdump
+BROKER_CMAKE_BOOL=	ENABLE_BROKER
+BROKER_BUILD_DEPENDS=	caf>=0.14.1:devel/caf
+DEBUG_CMAKE_BOOL=	ENABLE_DEBUG
+LBL_HF_RUN_DEPENDS=	${LOCALBASE}/bin/hf:sysutils/lbl-hf
+LBL_CF_RUN_DEPENDS=	${LOCALBASE}/bin/cf:sysutils/lbl-cf
+PERFTOOLS_CMAKE_BOOL=	ENABLE_PERFTOOLS
+PERFTOOLS_RUN_DEPENDS=	${LOCALBASE}/bin/pprof:devel/google-perftools
+
+.include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MBROKER}
-CMAKE_ARGS+=	-D ENABLE_BROKER:BOOL=true
-BUILD_DEPENDS+=	caf>=0.14.1:devel/caf
-PLIST_SUB+=	BROKER=""
-
-.if ${OSVERSION} < 1001000
+.  if ${OPSYS} == FreeBSD && ${OSVERSION} < 1001000
 # Bro 2.4 with BROKER requires caf, clang and libc++
 BUILD_DEPENDS+=	${LOCALBASE}/bin/clang++34:lang/clang34 \
 		${LOCALBASE}/lib/c++/libstdc++.so:devel/libc++
-
 CXXFLAGS+=	-stdlib=libc++ -I${LOCALBASE}/include/c++/v1 -L${LOCALBASE}/lib
 CXX=		${LOCALBASE}/bin/clang++34
-.endif
-.else
-CMAKE_ARGS+=	-D ENABLE_BROKER:BOOL=false
-PLIST_SUB+=	BROKER="@comment "
-.endif
-
-.if ${PORT_OPTIONS:MDEBUG}
-CMAKE_ARGS+=	-D ENABLE_DEBUG:BOOL=true
-.else
-CMAKE_ARGS+=	-D ENABLE_DEBUG:BOOL=false
-.endif
-
-.if ${PORT_OPTIONS:MLBL_HF}
-RUN_DEPENDS+=	${LOCALBASE}/bin/hf:sysutils/lbl-hf
-.endif
-
-.if ${PORT_OPTIONS:MLBL_CF}
-RUN_DEPENDS+=	${LOCALBASE}/bin/cf:sysutils/lbl-cf
-.endif
-
-.if ${PORT_OPTIONS:MPERFTOOLS}
-CMAKE_ARGS+=	-D ENABLE_PERFTOOLS:BOOL=true
-RUN_DEPENDS+=	${LOCALBASE}/bin/pprof:devel/google-perftools
-.else
-CMAKE_ARGS+=	-D ENABLE_PERFTOOLS:BOOL=false
-.endif
-
-.if ${PORT_OPTIONS:MPORTS_SSL}
-CMAKE_ARGS+=	-D CMAKE_EXE_LINKER_FLAGS="${OPENSSL_LDFLAGS}"
-.else
-.if ${SSL_DEFAULT} != base
-IGNORE=		the SSL option is requred when using SSL from ports
-.endif
-.endif
-
-.if ${PORT_OPTIONS:MIPSUMDUMP}
-BUILD_DEPENDS+=	ipsumdump:net/ipsumdump
-RUN_DEPENDS+=	ipsumdump:net/ipsumdump
+.  endif
 .endif
 
 post-install-BROCTL-on:
@@ -156,4 +106,4 @@ post-install-BROCTL-on:
 	@${MV} ${STAGEDIR}${PREFIX}/etc/${F} ${STAGEDIR}${PREFIX}/etc/${F}.example
 .endfor
 
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/security/bro/files/patch-aux_broccoli_src_bro__openssl.c b/security/bro/files/patch-aux_broccoli_src_bro__openssl.c
new file mode 100644
index 000000000000..c6c0b4596d70
--- /dev/null
+++ b/security/bro/files/patch-aux_broccoli_src_bro__openssl.c
@@ -0,0 +1,14 @@
+--- aux/broccoli/src/bro_openssl.c.orig	2015-09-06 19:43:23 UTC
++++ aux/broccoli/src/bro_openssl.c
+@@ -302,7 +302,11 @@ __bro_openssl_init(void)
+    * to set up an SSL connection now and abort if this fails in any way.
+    */
+ 
++#ifndef OPENSSL_NO_SSL3
+   if (! (ctx = SSL_CTX_new(SSLv3_method())))
++#else
++  if (! (ctx = SSL_CTX_new(SSLv23_method())))
++#endif
+     D_RETURN_(FALSE);
+   
+   /* We expect things to be stored in PEM format, which means that we
diff --git a/security/bro/files/patch-src_ChunkedIO.cc b/security/bro/files/patch-src_ChunkedIO.cc
new file mode 100644
index 000000000000..b61b9250b761
--- /dev/null
+++ b/security/bro/files/patch-src_ChunkedIO.cc
@@ -0,0 +1,14 @@
+--- src/ChunkedIO.cc.orig	2015-09-06 19:43:16 UTC
++++ src/ChunkedIO.cc
+@@ -709,7 +709,11 @@ bool ChunkedIOSSL::Init()
+ 		{
+ 		SSL_load_error_strings();
+ 
++#ifndef OPENSSL_NO_SSL3
+ 		ctx = SSL_CTX_new(SSLv3_method());
++#else
++		ctx = SSL_CTX_new(SSLv23_method());
++#endif
+ 		if ( ! ctx )
+ 			{
+ 			Log("can't create SSL context");