#!/usr/bin/make -f
export SHELL := /bin/bash

DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)

package			:= openssl
_prefix			:= /opt/alt/$(package)
_bindir			:= $(_prefix)/bin
_lib			:= lib/$(DEB_HOST_MULTIARCH)
_libdir			:= $(_prefix)/$(_lib)
_sysconfdir		:= $(_prefix)/etc
_includedir		:= $(_prefix)/include
_mandir			:= $(_prefix)/share/man
_defaultdocdir	:= $(_prefix)/share/doc

BUILD_ROOT=debian
TMP_ROOT=debian/tmp

# For generating the manpages
export VERSION=$(shell dpkg-parsechangelog | grep '^Version:' | sed -e 's/^.*://' -e 's/-.*//')

CONFIGURE_EXTRA_FLAGS  = --prefix=$(_prefix) --openssldir=$(_sysconfdir)/pki/tls --libdir=$(_lib)
CONFIGURE_EXTRA_FLAGS +=  zlib
CONFIGURE_EXTRA_FLAGS +=  enable-camellia enable-seed enable-rfc3779 enable-sctp
CONFIGURE_EXTRA_FLAGS +=  enable-ssl3 enable-ssl3-method
CONFIGURE_EXTRA_FLAGS +=  enable-cms enable-md2 enable-rc5
CONFIGURE_EXTRA_FLAGS +=  enable-weak-ssl-ciphers
CONFIGURE_EXTRA_FLAGS +=  no-mdc2 no-ec2m no-sm2 no-sm4
CONFIGURE_EXTRA_FLAGS +=  enable-ec_nistp_64_gcc_128

export LDFLAGS += -Wl,-rpath=$(_libdir)

%:
	dh $@

override_dh_auto_configure:
	./config $(CONFIGURE_EXTRA_FLAGS)
	# Apply the patch here (below configure) because it contains binary blobs and cannot be applied using quilt.
	git apply debian/patches/openssl-1.1.1-cve-2024-0727-tests.patch
	# These patches contain binary .der test data
	git apply --no-index --binary debian/patches/openssl-1.1.1-cve-2026-28389.patch
	git apply --no-index --binary debian/patches/openssl-1.1.1-cve-2026-28390.patch
	rm test/ssl-tests/04-client_auth.conf*
	rm test/ssl-tests/07-dtls-protocol-version.conf*
	rm test/ssl-tests/11-dtls_resumption.conf*
	rm test/ssl-tests/16-dtls-certstatus.conf*
	rm test/ssl-tests/18-dtls-renegotiate.conf*
	rm test/ssl-tests/29-dtls-sctp-label-bug.conf*


override_dh_auto_install:
	dh_auto_install
	install -d $(TMP_ROOT)$(_libdir)/openssl
	mv $(TMP_ROOT)$(_libdir)/engines* $(TMP_ROOT)$(_libdir)/openssl
	rm -rf $(TMP_ROOT)$(_sysconfdir)/pki/tls/{cert.pem,certs,misc,private}
	mkdir -m755 -p $(TMP_ROOT)$(_sysconfdir)/pki/tls
	mkdir -m755 $(TMP_ROOT)$(_sysconfdir)/pki/CA
	mkdir -m700 $(TMP_ROOT)$(_sysconfdir)/pki/CA/private
	mkdir -m755 $(TMP_ROOT)$(_sysconfdir)/pki/CA/certs
	mkdir -m755 $(TMP_ROOT)$(_sysconfdir)/pki/CA/crl
	mkdir -m755 $(TMP_ROOT)$(_sysconfdir)/pki/CA/newcerts
	ln -s /etc/ssl/certs $(TMP_ROOT)$(_sysconfdir)/pki/tls/
	ln -s /etc/ssl/private $(TMP_ROOT)$(_sysconfdir)/pki/tls/

	dh_movefiles -p alt-$(package) \
		.$(_bindir) \
		.$(_mandir)/man1 \
		.$(_mandir)/man5 \
		.$(_mandir)/man7 \
		.$(_sysconfdir)/pki/CA \
		.$(_sysconfdir)/pki/CA/certs \
		.$(_sysconfdir)/pki/CA/crl \
		.$(_sysconfdir)/pki/CA/newcerts \
		.$(_sysconfdir)/pki/CA/private \
		.$(_sysconfdir)/pki/tls/ct_log_list.cnf* \
		.$(_sysconfdir)/pki/tls/openssl.cnf* \
		.$(_defaultdocdir)/openssl/html/man1 \
		.$(_defaultdocdir)/openssl/html/man5

	dh_installdocs -p alt-$(package) \
		doc/HOWTO \
		doc/README \
		doc/fingerprints.txt

	dh_movefiles -p alt-$(package)-dev \
		.$(_includedir) \
		.$(_libdir)/libcrypto.a \
		.$(_libdir)/libcrypto.so \
		.$(_libdir)/libssl.a \
		.$(_libdir)/libssl.so \
		.$(_libdir)/pkgconfig \
		.$(_defaultdocdir)/openssl/html/man3 \
		.$(_defaultdocdir)/openssl/html/man7

	dh_movefiles -p alt-$(package)-libs \
		.$(_libdir)/*.so.* \
		.$(_libdir)/*/*.so \
		.$(_libdir)/openssl \
		.$(_sysconfdir)/pki/tls/*certs \
		.$(_sysconfdir)/pki/tls/private

	dh_movefiles -p alt-$(package)-doc \
		.$(_mandir)/man3

	dh_installdocs -p alt-$(package)-doc \
		demos

override_dh_builddeb:
	dh_builddeb
	if [ $(shell find $(TMP_ROOT) -type f | wc -l) -gt 0 ]; then \
		echo "Installed but unpackaged:"; \
		find $(TMP_ROOT) -type f -exec echo "{}" \; | sed -e 's#$(TMP_ROOT)##g'; \
		exit 1; \
	fi
