- Fix X509 build after r484765 openssl fix

- Fix patch URL for KERB_GSSAPI
- Add FLAVORs for x509 and gssapi since they are distinct types of
  OpenSSH rather than feature flags.

Approved by:	portmgr (implicit)

security/openssh-portable/Makefile

@@ -26,10 +26,18 @@ CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
 
 ETCOLD=			${PREFIX}/etc
 
-FLAVORS=			default hpn
-default_CONFLICTS_INSTALL=	openssl-portable-hpn
-hpn_CONFLICTS_INSTALL=		openssh-portable
+FLAVORS=			default hpn gssapi x509
+default_CONFLICTS_INSTALL=	openssh-portable-hpn openssh-portable-gssapi \
+				openssh-portable-x509
+hpn_CONFLICTS_INSTALL=		openssh-portable openssh-portable-gssapi \
+				openssh-portable-x509
 hpn_PKGNAMESUFFIX=		-portable-hpn
+gssapi_CONFLICTS_INSTALL=	openssh-portable openssh-portable-hpn \
+				openssh-portable-x509
+gssapi_PKGNAMESUFFIX=		-portable-gssapi
+x509_CONFLICTS_INSTALL=		openssh-portable openssh-portable-hpn \
+				openssh-portable-gssapi
+x509_PKGNAMESUFFIX=		-portable-x509
 
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
@@ -38,6 +46,12 @@ OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
+.if ${FLAVOR:U} == gssapi
+OPTIONS_DEFAULT+=	KERB_GSSAPI MIT
+.endif
+.if ${FLAVOR:U} == x509
+OPTIONS_DEFAULT+=	X509
+.endif
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
@@ -87,9 +101,13 @@ ETCDIR?=		${PREFIX}/etc/ssh
 
 PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
 
+# Upstream OpenSSL fix but does not apply for x509 patch.
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
+
 # X509 patch includes TCP Wrapper support already
 .if ${PORT_OPTIONS:MX509}
 EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
+EXTRA_PATCHES:=		${EXTRA_PATCHES:N${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969}
 .endif
 
 # Must add this patch before HPN due to conflicts
@@ -104,7 +122,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
-PATCHFILES+=	openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex
+PATCHFILES+=	openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex
 .endif
 
 # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1

security/openssh-portable/files/extra-patch-x509-glue

@@ -1,42 +1,3 @@
---- session.c.orig	2017-10-12 11:52:52.953370000 -0700
-+++ session.c	2017-10-12 11:53:40.793055000 -0700
-@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
- 	if (getenv("TZ"))
- 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- 
--#ifdef __ANDROID__
--{
--#define COPY_ANDROID_ENV(name)	{			\
--	char *s = getenv(name);				\
--	if (s)	child_set_env(&env, &envsize, name, s); }
--
--	/* from /init.rc */
--	COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
--	COPY_ANDROID_ENV("ANDROID_ROOT");
--	COPY_ANDROID_ENV("ANDROID_ASSETS");
--	COPY_ANDROID_ENV("ANDROID_DATA");
--	COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
--	COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
--	COPY_ANDROID_ENV("BOOTCLASSPATH");
--
--	/* FIXME: keep android property workspace open
--	 * (see openbsd-compat/bsd-closefrom.c)
--	 */
--	COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
--
--	COPY_ANDROID_ENV("EXTERNAL_STORAGE");		/* ??? */
--	COPY_ANDROID_ENV("SECONDARY_STORAGE");		/* ??? */
--	COPY_ANDROID_ENV("SD_EXT_DIRECTORY");		/* ??? */
--
--	/* may contain path to custom libraries */
--	COPY_ANDROID_ENV("LD_LIBRARY_PATH");
--#undef COPY_ANDROID_ENV
--}
--#endif
--
- 	/* Set custom environment options from pubkey authentication. */
- 	if (options.permit_user_env) {
- 		for (n = 0 ; n < auth_opts->nenv; n++) {
 --- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
 +++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
 @@ -1682,7 +1682,57 @@ is set to

security/openssh-portable/files/patch-session.c

@@ -50,7 +50,7 @@ Sponsored by:   DARPA, NAI Labs
 +	*environ = NULL;
 +	(void) setusercontext(lc, pw, pw->pw_uid,
 +	    LOGIN_SETENV|LOGIN_SETPATH);
-+	copy_environment(environ, &env, &envsize);
++	copy_environment_blacklist(environ, &env, &envsize, NULL);
 +	for (var = environ; *var != NULL; ++var)
 +		free(*var);
 +	free(environ);
@@ -58,7 +58,7 @@ Sponsored by:   DARPA, NAI Labs
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
  	/*
-@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1082,11 +1098,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
@@ -70,9 +70,6 @@ Sponsored by:   DARPA, NAI Labs
  
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- 	if (s->term)
- 		child_set_env(&env, &envsize, "TERM", s->term);
- 	if (s->display)
 @@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP