- Add pkg-config dependency which avoids some maintainer testing errors

and also removes a few unneeded library links such as -lcurses.
- libfido2 package is broken with pkg-config and base ssl. Workaround this
  by not using pkg-config for that library for now.
- Add USES=localbase to simplify some options
- Make crypt(3) MD5 password support optional but still on-by-default.  The
  default in FreeBSD changed in 10.0 but that does not mean
- Enable -Werror
- Remove some old baggage from the port build
 o The zlib version check has not been needed for a while.
 o sshd.8 has not had %%PREFIX%% or %$RC_SCRIPT_NAME%% since 2011
   and is not worth more patches/complexity.
 o The strnvis(3) problem noted in r311891 was fixed in OpenSSH 7.4.
 o autoreconf is run so it makes no sense to patch configure for -ldes
 o --with-md5-passwords is not needed as our crypt(3) supports it
   natively.  This is only relevant without PAM.

security/openssh-portable/Makefile

@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	8.4p1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -19,12 +19,12 @@ LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-*
 
-USES=			alias autoreconf ncurses ssl
+USES=			alias autoreconf localbase ncurses pkgconfig ssl
 GNU_CONFIGURE=		yes
-CONFIGURE_ENV=		ac_cv_func_strnvis=no
-CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
-			--without-zlib-version-check --with-ssl-engine \
-			--with-mantype=man
+CONFIGURE_ARGS=		--prefix=${PREFIX} \
+			--with-ssl-engine \
+			--with-mantype=man \
+			--with-Werror
 
 ETCOLD=			${PREFIX}/etc
 
@@ -70,8 +70,6 @@ TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
 LDNS_LIB_DEPENDS=	libldns.so:dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
-LDNS_CFLAGS=		-I${LOCALBASE}/include
-LDNS_CONFIGURE_ON=	--with-ldflags='-L${LOCALBASE}/lib'
 
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
@@ -89,6 +87,8 @@ BSM_CONFIGURE_ON=	--with-audit=bsm
 FIDO_U2F_LIB_DEPENDS=	libfido2.so:security/libfido2
 FIDO_U2F_CONFIGURE_ON=	--with-security-key-builtin
 FIDO_U2F_CONFIGURE_OFF=	--disable-security-key
+# Until https://reviews.freebsd.org/D27289 is committed
+FIDO_U2F_EXTRA_PATCHES=	${FILESDIR}/extra-patch-libfido2-configure.ac
 
 BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
 
@@ -114,6 +114,7 @@ PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_S
 # Bump this when updating the patch location
 GSSAPI_UPDATE_DATE=	20200607
 PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-sshconnect2.c
 .endif
 
 .if ${PORT_OPTIONS:MBLACKLISTD}
@@ -134,8 +135,6 @@ EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
-CONFIGURE_LIBS+=	-lutil
-
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 
 # Keep this last
@@ -186,12 +185,9 @@ RC_SCRIPT_NAME=		openssh
 VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 
 post-patch:
-	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
-	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
-		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config

security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c

@@ -0,0 +1,12 @@
+Avoid free(const char*)
+--- sshconnect2.c.orig	2020-11-19 14:56:54.387846000 -0800
++++ sshconnect2.c	2020-11-19 14:57:04.445045000 -0800
+@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
+ 		/* Fall back to specified host if we are using proxy command
+ 		 * and can not use DNS on that socket */
+ 		if (strcmp(gss_host, "UNKNOWN") == 0) {
+-			gss_host = authctxt->host;
++			gss_host = xstrdup(authctxt->host);
+ 		}
+ 	} else {
+ 		gss_host = xstrdup(authctxt->host);

security/openssh-portable/files/extra-patch-libfido2-configure.ac

@@ -0,0 +1,16 @@
+Workaround libfido2 package having a libfido2.pc that requires libcrypto
+even with base OpenSSL which does not provide the proper pc file.
+
+--- configure.ac.orig	2020-11-19 14:21:03.890890000 -0800
++++ configure.ac	2020-11-19 14:21:57.061193000 -0800
+@@ -3256,8 +3256,8 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_interna
+ 		fi
+ 	fi
+ 	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
+-		LIBFIDO2=`$PKGCONFIG --libs libfido2`
+-		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
++		LIBFIDO2="-lfido2 -lcrypto"
++		#CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
+ 	else
+ 		LIBFIDO2="-lfido2 -lcbor"
+ 	fi

security/openssh-portable/files/patch-session.c

@@ -13,8 +13,8 @@ to the child process.
 Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
 
---- session.c.orig	2020-02-13 16:40:54.000000000 -0800
-+++ session.c	2020-03-23 16:01:07.583958000 -0700
+--- session.c.orig	2020-09-27 00:25:01.000000000 -0700
++++ session.c	2020-11-19 14:41:50.745308000 -0800
 @@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
  }
  #endif /* HAVE_ETC_DEFAULT_LOGIN */
@@ -58,7 +58,16 @@ Sponsored by:   DARPA, NAI Labs
  	if (s->term)
  		child_set_env(&env, &envsize, "TERM", s->term);
  	if (s->display)
-@@ -1369,7 +1387,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw)
+ #ifdef HAVE_LOGIN_CAP
+ 	if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
+ 		return;
+-	nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
++	nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl);
+ #else
+ 	if (pw->pw_uid == 0)
+ 		return;
+@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,