openssh: 8.4p1 -> 8.5p1 and refactor

Also split out the variants of the package because I'm sick of waiting
for random patches to be updated before I can update my unpatched
openssh.

Also make pname correspond to the attribute name.

4 files changed, 183 insertions, 122 deletions

diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix
new file mode 100644
index 00000000000..9d4aaad25cd
--- /dev/null
+++ b/pkgs/tools/networking/openssh/common.nix
@@ -0,0 +1,115 @@
+{ pname
+, version
+, extraDesc ? ""
+, src
+, extraPatches ? []
+, extraNativeBuildInputs ? []
+}:
+
+{ lib, stdenv
+, fetchurl
+, fetchpatch
+, zlib
+, openssl
+, libedit
+, pkg-config
+, pam
+, etcDir ? null
+, withKerberos ? true
+, kerberos
+, libfido2
+, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
+, linkOpenssl ? true
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  inherit pname version src;
+
+  patches = [
+    ./locale_archive.patch
+
+    # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
+    ./dont_create_privsep_path.patch
+  ] ++ extraPatches;
+
+  postPatch =
+    # On Hydra this makes installation fail (sometimes?),
+    # and nix store doesn't allow such fancy permission bits anyway.
+    ''
+      substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
+    '';
+
+  nativeBuildInputs = [ pkg-config ]
+    ++ optional withKerberos kerberos.dev
+    ++ extraNativeBuildInputs;
+  buildInputs = [ zlib openssl libedit ]
+    ++ optional withFIDO libfido2
+    ++ optional withKerberos kerberos
+    ++ optional stdenv.isLinux pam;
+
+  preConfigure = ''
+    # Setting LD causes `configure' and `make' to disagree about which linker
+    # to use: `configure' wants `gcc', but `make' wants `ld'.
+    unset LD
+  ''
+  # Upstream build system does not support static build, so we fall back
+  # on fragile patching of configure script.
+  #
+  # libedit is found by pkg-config, but without --static flag, required
+  # to get also transitive dependencies for static linkage, hence sed
+  # expression.
+  #
+  # Kerberos can be found either by krb5-config or by fall-back shell
+  # code in openssh's configure.ac. Neither of them support static
+  # build, but patching code for krb5-config is simpler, so to get it
+  # into PATH, kerberos.dev is added into buildInputs.
+  + optionalString stdenv.hostPlatform.isStatic ''
+    sed -i "s,PKGCONFIG --libs,PKGCONFIG --libs --static,g" configure
+    sed -i 's#KRB5CONF --libs`#KRB5CONF --libs` -lkrb5support -lkeyutils#g' configure
+    sed -i 's#KRB5CONF --libs gssapi`#KRB5CONF --libs gssapi` -lkrb5support -lkeyutils#g' configure
+  '';
+
+  # I set --disable-strip because later we strip anyway. And it fails to strip
+  # properly when cross building.
+  configureFlags = [
+    "--sbindir=\${out}/bin"
+    "--localstatedir=/var"
+    "--with-pid-dir=/run"
+    "--with-mantype=man"
+    "--with-libedit=yes"
+    "--disable-strip"
+    (if stdenv.isLinux then "--with-pam" else "--without-pam")
+  ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
+    ++ optional withFIDO "--with-security-key-builtin=yes"
+    ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}")
+    ++ optional stdenv.isDarwin "--disable-libutil"
+    ++ optional (!linkOpenssl) "--without-openssl";
+
+  buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
+
+  enableParallelBuilding = true;
+
+  hardeningEnable = [ "pie" ];
+
+  postInstall = ''
+    # Install ssh-copy-id, it's very useful.
+    cp contrib/ssh-copy-id $out/bin/
+    chmod +x $out/bin/ssh-copy-id
+    cp contrib/ssh-copy-id.1 $out/share/man/man1/
+  '';
+
+  installTargets = [ "install-nokeys" ];
+  installFlags = [
+    "sysconfdir=\${out}/etc/ssh"
+  ];
+
+  meta = {
+    description = "An implementation of the SSH protocol${extraDesc}";
+    homepage = "https://www.openssh.com/";
+    changelog = "https://www.openssh.com/releasenotes.html";
+    license = licenses.bsd2;
+    platforms = platforms.unix ++ platforms.windows;
+    maintainers = with maintainers; [ eelco aneeshusa ];
+  };
+}
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 17a227c496a..67082b15bc5 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -1,141 +1,63 @@
-{ lib, stdenv
-, pkgs
-, fetchurl
-, fetchpatch
-, zlib
-, openssl
-, libedit
-, pkg-config
-, pam
-, autoreconfHook
-, etcDir ? null
-, hpnSupport ? false
-, withKerberos ? true
-, withGssapiPatches ? false
-, kerberos
-, libfido2
-, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
-, linkOpenssl ? true
-}:
-
+{ callPackage, fetchurl, fetchpatch, autoreconfHook }:
 let
+  common = opts: callPackage (import ./common.nix opts) {};
+in {
 
-  version = "8.4p1";
-
-  # **please** update this patch when you update to a new openssh release.
-  gssapiPatch = fetchpatch {
-    name = "openssh-gssapi.patch";
-    url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-2/debian/patches/gssapi.patch";
-    sha256 = "1z1ckzimlkm1dmr9f5fqjnjg28gsqcwx6xka0klak857548d2lp2";
-  };
+  openssh = common rec {
+    pname = "openssh";
+    version = "8.5p1";
 
-in
-with lib;
-stdenv.mkDerivation rec {
-  pname = "openssh";
-  inherit version;
+    src = fetchurl {
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+      sha256 = "09gc8rv7728chxraab85dzkdikaw4aph1wlcwcc9kai9si0kybzm";
+    };
 
-  src = if hpnSupport then
-      fetchurl {
-        url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-${replaceStrings [ "." "p" ] [ "_" "_P" ] version}.tar.gz";
-        sha256 = "1x2afjy1isslbg7qlvhhs4zhj2c8q2h1ljz0fc5b4h9pqcm9j540";
-      }
-    else
-      fetchurl {
-        url = "mirror://openbsd/OpenSSH/portable/${pname}-${version}.tar.gz";
-        sha256 = "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as";
-      };
+    extraPatches = [ ./ssh-keysign-8.5.patch ];
+  };
 
-  patches =
-    [
-      ./locale_archive.patch
+  openssh_hpn = common rec {
+    pname = "openssh-with-hpn";
+    version = "8.4p1";
+    extraDesc = " with high performance networking patches";
 
-      # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
-      ./dont_create_privsep_path.patch
+    src = fetchurl {
+      url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-${builtins.replaceStrings [ "." "p" ] [ "_" "_P" ] version}.tar.gz";
+      sha256 = "1x2afjy1isslbg7qlvhhs4zhj2c8q2h1ljz0fc5b4h9pqcm9j540";
+    };
 
-      ./ssh-keysign.patch
+    extraPatches = [
+      ./ssh-keysign-8.4.patch
 
       # See https://github.com/openssh/openssh-portable/pull/206
       ./ssh-copy-id-fix-eof.patch
-    ]
-    ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
-
-  postPatch =
-    # On Hydra this makes installation fail (sometimes?),
-    # and nix store doesn't allow such fancy permission bits anyway.
-    ''
-      substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
-    '';
+    ];
 
-  nativeBuildInputs = [ pkg-config ]
-    ++ optional (hpnSupport || withGssapiPatches) autoreconfHook
-    ++ optional withKerberos pkgs.kerberos.dev;
-  buildInputs = [ zlib openssl libedit pam ]
-    ++ optional withFIDO libfido2
-    ++ optional withKerberos kerberos;
-
-  preConfigure = ''
-    # Setting LD causes `configure' and `make' to disagree about which linker
-    # to use: `configure' wants `gcc', but `make' wants `ld'.
-    unset LD
-  ''
-  # Upstream build system does not support static build, so we fall back
-  # on fragile patching of configure script.
-  #
-  # libedit is found by pkg-config, but without --static flag, required
-  # to get also transitive dependencies for static linkage, hence sed
-  # expression.
-  #
-  # Kerberos can be found either by krb5-config or by fall-back shell
-  # code in openssh's configure.ac. Neither of them support static
-  # build, but patching code for krb5-config is simpler, so to get it
-  # into PATH, kerberos.dev is added into buildInputs.
-  + optionalString stdenv.hostPlatform.isStatic ''
-    sed -i "s,PKGCONFIG --libs,PKGCONFIG --libs --static,g" configure
-    sed -i 's#KRB5CONF --libs`#KRB5CONF --libs` -lkrb5support -lkeyutils#g' configure
-    sed -i 's#KRB5CONF --libs gssapi`#KRB5CONF --libs gssapi` -lkrb5support -lkeyutils#g' configure
-  '';
-
-  # I set --disable-strip because later we strip anyway. And it fails to strip
-  # properly when cross building.
-  configureFlags = [
-    "--sbindir=\${out}/bin"
-    "--localstatedir=/var"
-    "--with-pid-dir=/run"
-    "--with-mantype=man"
-    "--with-libedit=yes"
-    "--disable-strip"
-    (if pam != null then "--with-pam" else "--without-pam")
-  ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
-    ++ optional withFIDO "--with-security-key-builtin=yes"
-    ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}")
-    ++ optional stdenv.isDarwin "--disable-libutil"
-    ++ optional (!linkOpenssl) "--without-openssl";
+    extraNativeBuildInputs = [ autoreconfHook ];
+  };
 
-  buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
+  openssh_gssapi = common rec {
+    pname = "openssh-with-gssapi";
+    version = "8.4p1";
+    extraDesc = " with GSSAPI support";
 
-  enableParallelBuilding = true;
+    src = fetchurl {
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+      sha256 = "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as";
+    };
 
-  hardeningEnable = [ "pie" ];
+    extraPatches = [
+      ./ssh-keysign-8.4.patch
 
-  postInstall = ''
-    # Install ssh-copy-id, it's very useful.
-    cp contrib/ssh-copy-id $out/bin/
-    chmod +x $out/bin/ssh-copy-id
-    cp contrib/ssh-copy-id.1 $out/share/man/man1/
-  '';
+      # See https://github.com/openssh/openssh-portable/pull/206
+      ./ssh-copy-id-fix-eof.patch
 
-  installTargets = [ "install-nokeys" ];
-  installFlags = [
-    "sysconfdir=\${out}/etc/ssh"
-  ];
+      (fetchpatch {
+        name = "openssh-gssapi.patch";
+        url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-2/debian/patches/gssapi.patch";
+        sha256 = "1z1ckzimlkm1dmr9f5fqjnjg28gsqcwx6xka0klak857548d2lp2";
+      })
+    ];
 
-  meta = {
-    description = "An implementation of the SSH protocol";
-    homepage = "https://www.openssh.com/";
-    changelog = "https://www.openssh.com/releasenotes.html";
-    license = lib.licenses.bsd2;
-    platforms = platforms.unix ++ platforms.windows;
-    maintainers = with maintainers; [ eelco aneeshusa ];
+    extraNativeBuildInputs = [ autoreconfHook ];
   };
 }
diff --git a/pkgs/tools/networking/openssh/ssh-keysign.patch b/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
index 7258f4a4db1..7258f4a4db1 100644
--- a/pkgs/tools/networking/openssh/ssh-keysign.patch
+++ b/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
diff --git a/pkgs/tools/networking/openssh/ssh-keysign-8.5.patch b/pkgs/tools/networking/openssh/ssh-keysign-8.5.patch
new file mode 100644
index 00000000000..67c45b6b7d8
--- /dev/null
+++ b/pkgs/tools/networking/openssh/ssh-keysign-8.5.patch
@@ -0,0 +1,24 @@
+diff --git a/pathnames.h b/pathnames.h
+index cb44caa4..354fdf05 100644
+--- a/pathnames.h
++++ b/pathnames.h
+@@ -124,7 +124,7 @@
+ 
+ /* Location of ssh-keysign for hostbased authentication */
+ #ifndef _PATH_SSH_KEY_SIGN
+-#define _PATH_SSH_KEY_SIGN		"/usr/libexec/ssh-keysign"
++#define _PATH_SSH_KEY_SIGN		"ssh-keysign"
+ #endif
+ 
+ /* Location of ssh-pkcs11-helper to support keys in tokens */
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -2021,7 +2021,7 @@
+ 
+ 		debug3_f("[child] pid=%ld, exec %s",
+ 		    (long)getpid(), _PATH_SSH_KEY_SIGN);
+-		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
++		execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+ 		fatal_f("exec(%s): %s", _PATH_SSH_KEY_SIGN,
+ 		    strerror(errno));
+ 	}