# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
# $Id: Portfile 119759 2014-05-05 21:25:29Z cal@macports.org $

PortSystem          1.0

name                openssh
version             6.6p1
revision            2
categories          net
platforms           darwin
maintainers         nomaintainer
license             BSD
installs_libs       no

description         OpenSSH secure login server

long_description    OpenSSH is a FREE version of the SSH protocol suite of \
                    network connectivity tools that increasing numbers of people on the \
                    Internet are coming to rely on. Many users of telnet, rlogin, ftp, \
                    and other such programs might not realize that their password is \
                    transmitted across the Internet unencrypted, but it is. OpenSSH \
                    encrypts all traffic (including passwords) to effectively eliminate \
                    eavesdropping, connection hijacking, and other network-level \
                    attacks. Additionally, OpenSSH provides a myriad of secure \
                    tunneling capabilities, as well as a variety of authentication \
                    methods.

homepage            http://www.openbsd.org/openssh/

checksums           ${distfiles} \
                    rmd160  e19ed34e240001898b6665bb4356b868bba5513d \
                    sha256  48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb

master_sites        openbsd:OpenSSH/portable \
                    http://mirror.mcs.anl.gov/openssh/portable/ \
                    ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
                    ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \
                    ftp://mirror.mcs.anl.gov/pub/openssh/portable/ \
                    ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \
                    ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \
                    ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/

depends_lib         port:openssl \
                    port:zlib

# the HPN patch needs this, so rewrite all other patches to support it, too
patch.args          -p1
patchfiles          launchd.patch \
                    pam.patch \
                    patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
                    patch-sshd.c-apple-sandbox-named-external.diff \
                    patch-bug_curve25519pad.diff

# We need a couple of patches
# - pam.patch
#   getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
#   when run as root, so it can't be used for authentication. This patch just
#   forces the use of PAM regardless of the configuration.
# - patch-*-apple-sandbox-named-external.diff
#   Use Apple's sandbox_init(3) in addition to standard privilege separation.
#   This requires a sandbox profile (which we provide) and the sandbox_init(3)
#   call before the chroot(2) to privsep-path ($prefix/var/empty), or it will
#   fail to load the sandbox description and libsandbox.1.dylib.

post-patch {
    # reinplace prefix in path to sandbox definition added by
    # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
    reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
}

# Use Apple's sandboxing feature
configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__
configure.ldflags-append  -Wl,-search_paths_first
configure.args      --with-ssl-dir=${prefix} \
                    --sysconfdir=${prefix}/etc/ssh \
                    --with-privsep-path=${prefix}/var/empty \
                    --with-md5-passwords \
                    --with-pid-dir=${prefix}/var/run \
                    --with-tcp-wrappers \
                    --with-pam \
                    --mandir=${prefix}/share/man \
                    --with-zlib=${prefix} \
                    --without-kerberos5 \
                    --with-libedit \
                    --with-pie \
                    --without-xauth

use_parallel_build  yes

destroot.target     install-nokeys

test.run            yes
test.target         tests

if {${os.major} >= 12} {
    depends_lib-append  port:tcp_wrappers
}

post-destroot {
    destroot.keepdirs ${destroot}${prefix}/var/run ${destroot}${prefix}/var/empty

    # switch default port to avoid conflict with system sshd
    reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config

    # provide ssh-copy-id
    xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
    xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1

    # install sandbox definition
    xinstall -m 755 -d ${destroot}${prefix}/share/${name}
    xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name}

    file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
    file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
}

post-activate {
    if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
        file copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
    }
    if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
        file copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
    }
}

variant xauth description {Build with support for xauth} {
    configure.args-delete   --without-xauth
    configure.args-append   --with-xauth=${prefix}/bin/xauth
    depends_run-append      port:xauth
}

variant no_x11 conflicts xauth description {Legacy compatibility variant} {}

variant hpn conflicts gsskex description {Apply high performance patch} {
    # http://www.psc.edu/index.php/hpn-ssh
    # http://www.freshports.org/security/openssh-portable/ is usually quick in
    # updating the HPN patch for new versions, take a look there, too.
    patch_sites-append      http://mirror.shatow.net/freebsd/${name}/
    set hpn_patchfile       ${name}-6.6.1p1-hpnssh14v2.diff.gz
    patchfiles-append       ${hpn_patchfile}
    checksums-append        ${hpn_patchfile} \
                            rmd160  61b19b09adb61996703f1bdb82df98c5abe9ebd3 \
                            sha256  b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376
}

variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
    use_autoreconf          yes
    patchfiles-append       0002-Apple-keychain-integration-other-changes.patch \
                            openssh-6.3p1-gsskex-all-20130920.patch
    configure.cppflags-append \
                            -F/System/Library/Frameworks/DirectoryService.framework \
                            -F/System/Library/Frameworks/CoreFoundation.framework \
                            -D_UTMPX_COMPAT \
                            -D__APPLE_LAUNCHD__ \
                            -D__APPLE_MEMBERSHIP__ \
                            -D__APPLE_XSAN__
    configure.ldflags-append \
                            -Wl,-pie \
                            -framework CoreFoundation \
                            -framework DirectoryService
    configure.cflags-append -fPIE
    configure.args-append   --with-4in6 \
                            --with-audit=bsm \
                            --with-keychain=apple \
                            --disable-utmp \
                            --disable-wtmp \
                            --with-privsep-user=_sshd
}

variant kerberos5 description "Add Kerberos5 support" {
    depends_lib-append      port:kerberos5
    configure.args-delete   --without-kerberos5
    configure.args-append   --with-kerberos5=${prefix}
}

variant ldns description "Use ldns for DNSSEC support" {
    configure.args-append   --with-ldns
    depends_lib-append      port:ldns
}

if {![variant_isset no_x11]} {
    default_variants        +xauth
}
default_variants-append     +kerberos5

platform darwin {
    # create link to /usr/include/pam because 'security' was renamed to 'pam'
    # in OS X.
    pre-configure {
        xinstall -d ${workpath}/include
        file delete ${workpath}/include/security
        ln -s /usr/include/pam ${workpath}/include/security
    }
}

platform darwin 9 {
    # 10.5/ppc doesn't like the sandbox file we supply
    configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
}

startupitem.create  yes
startupitem.name    OpenSSH
startupitem.start   \
    "if \[ -x ${prefix}/sbin/sshd ]; then
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_key \]; then
            ${prefix}/bin/ssh-keygen -t rsa1 -f \\
            ${prefix}/etc/ssh/ssh_host_key -N \"\" -C `hostname`
        fi
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
            ${prefix}/bin/ssh-keygen -t dsa -f \\
            ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
        fi
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
            ${prefix}/bin/ssh-keygen -t rsa -f \\
            ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
        fi
        if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
            ${prefix}/bin/ssh-keygen -t ecdsa -f \\
            ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
        fi
        if \[ ! -f ${prefix}/etc/ssh/ssh_ed25519_rsa_key \]; then
            ${prefix}/bin/ssh-keygen -t ed25519 -f \\
            ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
        fi
        ${prefix}/sbin/sshd
    fi"
startupitem.stop    \
    "if \[ -r ${prefix}/var/run/sshd.pid \]; then
        kill `cat ${prefix}/var/run/sshd.pid`
    fi"

livecheck.type      regex
livecheck.url       http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/
livecheck.regex     openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]
