# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4

PortSystem          1.0
PortGroup           compiler_blacklist_versions 1.0
PortGroup           muniversal 1.0
PortGroup           legacysupport 1.1

# Availability.h
legacysupport.newest_darwin_requires_legacy 8

set major_v         3
name                openssl$major_v
# For rolling back to 3.1.4 release where needed. Must now stay.
epoch               1
version             ${major_v}.2.1
revision            1

# Please revbump these ports when updating the openssl3 version/revision
#  - freeradius (#43461)
#  - openssh (#54990)
#  - p5-net-ssleay (#67321, for minor version bumps)
#  - openssl (to rebuild the shim links).

categories          devel security
platforms           darwin
license             Apache-2
maintainers         {larryv @larryv} {cal @neverpanic} openmaintainer

description         OpenSSL SSL/TLS cryptography library
long_description    The OpenSSL Project is a collaborative effort to \
                    develop a robust, commercial-grade, full-featured, \
                    and Open Source toolkit implementing the Secure \
                    Sockets Layer (SSL v2/v3) and Transport Layer \
                    Security (TLS v1) protocols as well as \
                    a full-strength general purpose cryptography \
                    library.
homepage            https://www.openssl.org

depends_lib         port:zlib

distname            openssl-${version}

# See https://www.openssl.org/source/mirror.html
master_sites        ${homepage}/source \
                    ftp://gd.tuwien.ac.at/infosys/security/openssl/source/ \
                    http://mirror.switch.ch/ftp/mirror/openssl/source/ \
                    ftp://ftp.fi.muni.cz/pub/openssl/source/ \
                    ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
                    http://artfiles.org/openssl.org/source/ \
                    ftp://ftp.linux.hr/pub/openssl/source/ \
                    ftp://guest.kuria.katowice.pl/pub/openssl/source/

checksums           rmd160  0182f83617754e1a2b0f6864679a7cd9c088e172 \
                    sha256  83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 \
                    size    17733249

patchfiles          e9d7083e241670332e0443da0f0d4ffb52829f08.patch

# 3.2.0 is currently broken for OS < 10.14, see #68766
if {${os.platform} eq "darwin" && ${os.major} < 18} {

    subport ${name}-devel {
        conflicts           ${name}
    }

    if {$subport eq $name} {
        conflicts           ${name}-devel
        version             ${major_v}.1.5
        revision            1

        distname            openssl-${version}

        checksums           rmd160  9c3e80f27e0b15b6b46774a944d75cf034358474 \
                            sha256  6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262 \
                            size    15663524

        patchfiles-replace  e9d7083e241670332e0443da0f0d4ffb52829f08.patch \
                            7e4d731b1c07201ad9374c1cd9ac5263bdf35bce.patch
    }

}

if {${os.platform} eq "darwin" && ${os.major} < 11} {
    # Having the stdlib set to libc++ on 10.6 causes a dependency on a
    # macports-clang compiler to be added, which would be a dep cycle.
    configure.cxx_stdlib
}

set my_name         openssl-${major_v}
set my_prefix       ${prefix}/libexec/${name}

configure.ccache    no
configure.perl      /usr/bin/perl
configure.cmd       ./Configure
configure.pre_args  --prefix=${my_prefix}
configure.args      -L${prefix}/lib \
                    --openssldir=${my_prefix}/etc/openssl \
                    shared \
                    zlib

# Use SDK if necessary.
if {${configure.sdkroot} ne ""} {
    configure.args-append   '-isysroot ${configure.sdkroot}' \
                            -Wl,-syslibroot,${configure.sdkroot}
}

set merger_arch_compiler no
array set merger_configure_args {
    ppc     darwin-ppc-cc
    i386    darwin-i386-cc
    ppc64   darwin64-ppc-cc
    x86_64  darwin64-x86_64-cc
    arm64   darwin64-arm64-cc
}
platform darwin {
    # Don't use i386 assembly on Tiger (#38015, #43303).
    if {${os.major} <= 8} {
        append merger_configure_args(i386) { no-asm}
        # https://trac.macports.org/ticket/58992
        configure.args-append no-async
    }
    # Don't use x86-64 assembly on Tiger or Leopard.
    if {${os.major} <= 9} {
        append merger_configure_args(x86_64) { no-asm}
        # OpenSSL requires Perl 5.10.0, while Leopard ships Perl 5.8.8
        depends_build-append    port:perl5
        configure.perl          ${prefix}/bin/perl5
    }
}
# Don't pass --host to configure.
array set merger_host {ppc {} i386 {} ppc64 {} x86_64 {} arm64 {}}

if {(!${universal_possible} || ![variant_isset universal])
        && [info exists merger_configure_args(${configure.build_arch})]} {
    configure.args-append $merger_configure_args(${configure.build_arch})
}
configure.universal_args-delete --disable-dependency-tracking

# https://github.com/openssl/openssl/issues/16551
# Fixes "Undefined symbols for architecture i386: ___atomic_is_lock_free"
if {(${configure.build_arch} eq "i386") || (${universal_possible} && [variant_isset universal] && "i386" in ${configure.universal_archs})} {
    configure.args-append   -DBROKEN_CLANG_ATOMICS
}

test.run            yes
test.target-append  HARNESS_JOBS=${build.jobs}

pre-destroot {
    if {[variant_exists universal] && [variant_isset universal]} {
        global merger_dont_diff
        if {[llength ${universal_archs_to_use}] > 2} {
            lappend merger_dont_diff ${my_prefix}/include/openssl/configuration.h
            # Previous version/revisions got this wrong, but this situation
            # is too obscure to justify revbumping the dependents.
            notes-append "Universal dependents may need to be rebuilt."
        }
    }
}

post-destroot {
    # Create some links to main prefix
    xinstall -d ${destroot}${prefix}/include/${my_name}
    xinstall -d ${destroot}${prefix}/lib/${my_name}
    ln -s ${my_prefix}/include/openssl ${destroot}/${prefix}/include/${my_name}/
    foreach l [glob -tails -directory ${destroot}${my_prefix}/lib *] {
        ln -s ${my_prefix}/lib/${l} ${destroot}/${prefix}/lib/${my_name}/${l}
    }
    foreach b [glob -tails -directory ${destroot}${my_prefix}/bin *] {
        ln -s ${my_prefix}/bin/${b} ${destroot}/${prefix}/bin/${b}-${major_v}
    }
    # shared/man dir seems to still end up in ${prefix} and not libexec...
    move ${destroot}${prefix}/share/man ${destroot}/${my_prefix}/share/
    # Create link to certs from curl-ca-bundle in install prefix
    ln -s ${prefix}/share/curl/curl-ca-bundle.crt ${destroot}${my_prefix}/etc/openssl/cert.pem
}

destroot.args       MANDIR=${prefix}/share/man MANSUFFIX=ssl

variant rfc3779 description {enable RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers} {
    configure.args-append   enable-rfc3779
}

variant fips description {enable FIPS} {
    configure.args-append   enable-fips
}

variant legacy description {enable legacy providers by default} {
    # See https://trac.macports.org/ticket/63857 for context
    post-destroot {
        set     cnf [open ${destroot}${my_prefix}/etc/openssl/openssl.cnf a]
        puts  ${cnf} ""
        puts  ${cnf} "# MacPorts additions to enable legacy providers by default"
        puts  ${cnf} "\[openssl_init\]"
        puts  ${cnf} "providers = provider_sect"
        puts  ${cnf} "\[provider_sect\]"
        puts  ${cnf} "default = default_sect"
        puts  ${cnf} "legacy = legacy_sect"
        puts  ${cnf} "\[default_sect\]"
        puts  ${cnf} "activate = 1"
        puts  ${cnf} "\[legacy_sect\]"
        puts  ${cnf} "activate = 1"
        close ${cnf}
    }
}

livecheck.type      regex
livecheck.url       [lindex ${master_sites} 0]
livecheck.regex     openssl-(${major_v}.\[0-9.\]+\[a-z\]?)\\.tar\\.gz