# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4

PortSystem          1.0
PortGroup           compiler_blacklist_versions 1.0
PortGroup           muniversal 1.0
PortGroup           legacysupport 1.1

# Availability.h
legacysupport.newest_darwin_requires_legacy 8

set major_v         3
name                openssl$major_v
version             ${major_v}.0.1
revision            0

# Please revbump these ports when updating the openssl3 version/revision
#  - freeradius (#43461)
#  - openssh (#54990)
#  - openssl (to rebuild the shim links).

categories          devel security
platforms           darwin
license             Apache-2
maintainers         {larryv @larryv} {cal @neverpanic} openmaintainer

description         OpenSSL SSL/TLS cryptography library
long_description    The OpenSSL Project is a collaborative effort to \
                    develop a robust, commercial-grade, full-featured, \
                    and Open Source toolkit implementing the Secure \
                    Sockets Layer (SSL v2/v3) and Transport Layer \
                    Security (TLS v1) protocols as well as \
                    a full-strength general purpose cryptography \
                    library.
homepage            https://www.openssl.org

depends_lib         port:zlib

distname            openssl-${version}

# See https://www.openssl.org/source/mirror.html
master_sites        ${homepage}/source \
                    ftp://gd.tuwien.ac.at/infosys/security/openssl/source/ \
                    http://mirror.switch.ch/ftp/mirror/openssl/source/ \
                    ftp://ftp.fi.muni.cz/pub/openssl/source/ \
                    ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
                    http://artfiles.org/openssl.org/source/ \
                    ftp://ftp.linux.hr/pub/openssl/source/ \
                    ftp://guest.kuria.katowice.pl/pub/openssl/source/

checksums           rmd160  d4be29c790cd56aaac15fb6107982b419a6dd290 \
                    sha256  c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1 \
                    size    15011207

if {${os.platform} eq "darwin" && ${os.major} < 11} {
    # Having the stdlib set to libc++ on 10.6 causes a dependency on a
    # macports-clang compiler to be added, which would be a dep cycle.
    configure.cxx_stdlib
}

#   https://github.com/openssl/openssl/commit/96ac8f13f4d0ee96baf5724d9f96c44c34b8606c
#   https://github.com/openssl/openssl/commit/2f3b120401533db82e99ed28de5fc8aab1b76b33
#   Patches updated to fix 10.4 build
#   To be seen if needed with 3.0.0, and if it needs updating.
#patchfiles-append   patch-pre-Sierra.diff

# https://github.com/openssl/openssl/pull/16584
# https://github.com/openssl/openssl/issues/16551
# Fixes "Undefined symbols for architecture i386: ___atomic_is_lock_free"
if {(${configure.build_arch} eq "i386") || (${universal_possible} && [variant_isset universal] && "i386" in ${configure.universal_archs})} {
    patchfiles-append   patch-fix-i386-atomics.diff
}

set my_name         openssl-${major_v}
set my_prefix       ${prefix}/libexec/${name}

#-----------------------------------------------------------------------------------------
# Fix compilation errors related to AVX-512 instruction set, occurring with Xcode Clang.
# Ticket: https://trac.macports.org/ticket/63622
#
#   crypto/bn/libcrypto-lib-rsaz-avx512.o crypto/bn/rsaz-avx512.s
#   crypto/bn/rsaz-avx512.s:36:2: error: instruction requires: AVX-512 ISA AVX-512 VL ISA
#    vpxord %ymm0,%ymm0,%ymm0
#    ^
#   crypto/bn/rsaz-avx512.s:37:2: error: instruction requires: AVX-512 ISA AVX-512 VL ISA
#    vmovdqa64 %ymm0,%ymm1
#    ^
#   crypto/bn/rsaz-avx512.s:38:2: error: instruction requires: AVX-512 ISA AVX-512 VL ISA
#    vmovdqa64 %ymm0,%ymm16
#    ^
#   crypto/bn/rsaz-avx512.s:39:2: error: instruction requires: AVX-512 ISA AVX-512 VL ISA
#    vmovdqa64 %ymm0,%ymm17
#    ^
#-----------------------------------------------------------------------------------------
if {${os.platform} eq "darwin" && ${os.major} < 19} {
    patchfiles-append patch-disable-avx512.diff
}

configure.ccache    no
configure.perl      /usr/bin/perl
configure.cmd       ./Configure
configure.pre_args  --prefix=${my_prefix}
configure.args      -L${prefix}/lib \
                    --openssldir=${my_prefix}/etc/openssl \
                    shared \
                    zlib

# Use SDK if necessary.
if {${configure.sdkroot} ne ""} {
    configure.args-append   '-isysroot ${configure.sdkroot}' \
                            -Wl,-syslibroot,${configure.sdkroot}
}

set merger_arch_compiler no
array set merger_configure_args {
    ppc     darwin-ppc-cc
    i386    darwin-i386-cc
    ppc64   darwin64-ppc-cc
    x86_64  darwin64-x86_64-cc
    arm64   darwin64-arm64-cc
}
platform darwin {
    # Don't use i386 assembly on Tiger (#38015, #43303).
    if {${os.major} <= 8} {
        append merger_configure_args(i386) { no-asm}
        # https://trac.macports.org/ticket/58992
        configure.args-append no-async
    }
    # Don't use x86-64 assembly on Tiger or Leopard.
    if {${os.major} <= 10} {
        append merger_configure_args(x86_64) { no-asm}
        # OpenSSL requires Perl 5.10.0, while Leopard ships Perl 5.8.8
        depends_build-append    port:perl5
        configure.perl          ${prefix}/bin/perl5
    }
}
# Don't pass --host to configure.
array set merger_host {ppc {} i386 {} ppc64 {} x86_64 {} arm64 {}}

if {![info exists universal_possible]} {
    set universal_possible [expr {${os.universal_supported} && [llength ${configure.universal_archs}] >= 2}]
}
if {(!${universal_possible} || ![variant_isset universal])
        && [info exists merger_configure_args(${configure.build_arch})]} {
    configure.args-append $merger_configure_args(${configure.build_arch})
}
configure.universal_args-delete --disable-dependency-tracking

test.run            yes

pre-destroot {
    if {[variant_exists universal] && [variant_isset universal]} {
        global merger_dont_diff
        if {[llength ${universal_archs_to_use}] > 2} {
            lappend merger_dont_diff ${prefix}/include/openssl/opensslconf.h
        }
    }
}

post-destroot {
    # Create some links to main prefix
    xinstall -d ${destroot}${prefix}/include/${my_name}
    xinstall -d ${destroot}${prefix}/lib/${my_name}
    ln -s ${my_prefix}/include/openssl ${destroot}/${prefix}/include/${my_name}/
    foreach l [glob -tails -directory ${destroot}${my_prefix}/lib *] {
        ln -s ${my_prefix}/lib/${l} ${destroot}/${prefix}/lib/${my_name}/${l}
    }
    foreach b [glob -tails -directory ${destroot}${my_prefix}/bin *] {
        ln -s ${my_prefix}/bin/${b} ${destroot}/${prefix}/bin/${b}-${major_v}
    }
    # shared/man dir seems to still end up in ${prefix} and not libexec...
    move ${destroot}${prefix}/share/man ${destroot}/${my_prefix}/share/
    # Create link to certs from curl-ca-bundle in install prefix
    ln -s ${prefix}/share/curl/curl-ca-bundle.crt ${destroot}${my_prefix}/etc/openssl/cert.pem
}

destroot.args       MANDIR=${prefix}/share/man MANSUFFIX=ssl

variant rfc3779 description {enable RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers} {
    configure.args-append   enable-rfc3779
}

variant fips description {enable FIPS} {
    configure.args-append   enable-fips
}

variant legacy description {enable legacy providers by default} {
    # See https://trac.macports.org/ticket/63857 for context
    post-destroot {
        set     cnf [open ${destroot}${my_prefix}/etc/openssl/openssl.cnf a]
        puts  ${cnf} ""
        puts  ${cnf} "# MacPorts additions to enable legacy providers by default"
        puts  ${cnf} "\[openssl_init\]"
        puts  ${cnf} "providers = provider_sect"
        puts  ${cnf} "\[provider_sect\]"
        puts  ${cnf} "default = default_sect"
        puts  ${cnf} "legacy = legacy_sect"
        puts  ${cnf} "\[default_sect\]"
        puts  ${cnf} "activate = 1"
        puts  ${cnf} "\[legacy_sect\]"
        puts  ${cnf} "activate = 1"
        close ${cnf}
    }
}
default_variants-append +legacy

livecheck.type      regex
livecheck.url       [lindex ${master_sites} 0]
livecheck.regex     openssl-(${major_v}.\[0-9.\]+\[a-z\]?)\\.tar\\.gz
