# Contributor: Ariadne Conill <ariadne@dereferenced.org>
# Contributor: Timo Teras <timo.teras@iki.fi>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssl
pkgver=3.5.1
_abiver=${pkgver%.*.*}
pkgrel=0
pkgdesc="Toolkit for Transport Layer Security (TLS)"
url="https://www.openssl.org/"
arch="all"
license="Apache-2.0"
provider_priority=100  # highest
makedepends_build="perl"
makedepends_host="linux-headers"
makedepends="$makedepends_host $makedepends_build"
subpackages="
	$pkgname-dbg
	$pkgname-libs-static
	$pkgname-dev
	$pkgname-doc
	$pkgname-misc::noarch
	libcrypto$_abiver:_libcrypto
	libssl$_abiver:_libssl
	"
source="https://github.com/openssl/openssl/releases/download/openssl-$pkgver/openssl-$pkgver.tar.gz
	auxv.patch
	man-section.patch
	"
builddir="$srcdir/openssl-$pkgver"

# secfixes:
#   3.5.1-r0:
#     - CVE-2025-4575
#   3.3.3-r0:
#     - CVE-2024-12797
#   3.3.2-r5:
#     - CVE-2024-13176
#   3.3.2-r3:
#     - CVE-2024-9143
#   3.3.2-r0:
#     - CVE-2024-6119
#   3.3.1-r1:
#     - CVE-2024-5535
#   3.3.0-r3:
#     - CVE-2024-4741
#   3.3.0-r2:
#     - CVE-2024-4603
#   3.2.1-r2:
#     - CVE-2024-2511
#   3.1.4-r5:
#     - CVE-2024-0727
#   3.1.4-r4:
#     - CVE-2023-6237
#   3.1.4-r3:
#     - CVE-2023-6129
#   3.1.4-r1:
#     - CVE-2023-5678
#   3.1.4-r0:
#     - CVE-2023-5363
#   3.1.2-r0:
#     - CVE-2023-3817
#   3.1.1-r3:
#     - CVE-2023-3446
#   3.1.1-r2:
#     - CVE-2023-2975
#   3.1.1-r0:
#     - CVE-2023-2650
#   3.1.0-r4:
#     - CVE-2023-1255
#   3.1.0-r2:
#     - CVE-2023-0465
#   3.1.0-r1:
#     - CVE-2023-0464
#   3.0.8-r0:
#     - CVE-2022-4203
#     - CVE-2022-4304
#     - CVE-2022-4450
#     - CVE-2023-0215
#     - CVE-2023-0216
#     - CVE-2023-0217
#     - CVE-2023-0286
#     - CVE-2023-0401
#   3.0.7-r2:
#     - CVE-2022-3996
#   3.0.7-r0:
#     - CVE-2022-3786
#     - CVE-2022-3602
#   3.0.6-r0:
#     - CVE-2022-3358
#   3.0.5-r0:
#     - CVE-2022-2097
#   3.0.3-r0:
#     - CVE-2022-1343
#     - CVE-2022-1434
#     - CVE-2022-1473
#   3.0.2-r0:
#     - CVE-2022-0778
#   3.0.1-r0:
#     - CVE-2021-4044
#   1.1.1l-r0:
#     - CVE-2021-3711
#     - CVE-2021-3712
#   1.1.1k-r0:
#     - CVE-2021-3449
#     - CVE-2021-3450
#   1.1.1j-r0:
#     - CVE-2021-23841
#     - CVE-2021-23840
#     - CVE-2021-23839
#   1.1.1i-r0:
#     - CVE-2020-1971
#   1.1.1g-r0:
#     - CVE-2020-1967
#   1.1.1d-r3:
#     - CVE-2019-1551
#   1.1.1d-r1:
#     - CVE-2019-1547
#     - CVE-2019-1549
#     - CVE-2019-1563
#   1.1.1b-r1:
#     - CVE-2019-1543
#   1.1.1a-r0:
#     - CVE-2018-0734
#     - CVE-2018-0735
#   0:
#     - CVE-2022-1292
#     - CVE-2022-2068
#     - CVE-2022-2274
#     - CVE-2023-0466
#     - CVE-2023-4807

build() {
	local target optflags

	# openssl will prepend crosscompile always core CC et al
	CC=${CC#"$CROSS_COMPILE"}
	CXX=${CXX#"$CROSS_COMPILE"}
	CPP=${CPP#"$CROSS_COMPILE"}

	# determine target OS for openssl
	case "$CARCH" in
		aarch64*)	target="linux-aarch64" ;;
		arm*)		target="linux-armv4" ;;
		mips64*)	target="linux64-mips64" ;;
		# explicit optflags is needed to prevent automatic -mips3 addition
		mips*)		target="linux-mips32"; optflags="-mips32" ;;
		ppc)		target="linux-ppc" ;;
		ppc64)		target="linux-ppc64" ;;
		ppc64le)	target="linux-ppc64le" ;;
		x86)		target="linux-elf" ;;
		x86_64)		target="linux-x86_64"; optflags="enable-ec_nistp_64_gcc_128" ;;
		s390x)		target="linux64-s390x";;
		riscv64)	target="linux64-riscv64";;
		loongarch64)	target="linux64-loongarch64";;
		*)		msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;;
	esac

	# Configure assumes --options are for it, so can't use
	# gcc's --sysroot fake this by overriding CC
	[ -n "$CBUILDROOT" ] && CC="$CC --sysroot=$CBUILDROOT"

	# when cross building do not enable threads as libatomic is not avaiable
	if [ "$CBUILD" != "$CHOST" ]; then
		optflags="$optflags no-threads"
	fi

	perl ./Configure \
		$target \
		--prefix=/usr \
		--libdir=lib \
		--openssldir=/etc/ssl \
		enable-ktls \
		shared \
		no-zlib \
		no-async \
		no-comp \
		no-idea \
		no-mdc2 \
		no-rc5 \
		no-ec2m \
		no-ssl3 \
		no-seed \
		no-weak-ssl-ciphers \
		$optflags \
		$CPPFLAGS \
		$CFLAGS \
		$LDFLAGS -Wa,--noexecstack

	# dump configuration into logs
	perl configdata.pm --dump

	make
}

check() {
	# AFALG tests have a sporadic test failure, just delete the broken
	# test for now.
	rm -f test/recipes/30-test_afalg.t

	make test
}

package() {
	depends="libssl$_abiver=$pkgver-r$pkgrel libcrypto$_abiver=$pkgver-r$pkgrel"
	provides="openssl3=$pkgver-r$pkgrel"
	replaces="openssl3"

	make DESTDIR="$pkgdir" install
	# remove the script c_rehash
	rm "$pkgdir"/usr/bin/c_rehash
}

dev() {
	provides="openssl3-dev=$pkgver-r$pkgrel"
	replaces="openssl3-dev"

	default_dev
}

misc() {
	depends="$pkgname=$pkgver-r$pkgrel perl"
	pkgdesc="Various perl scripts from $pkgname"

	amove etc/ssl/misc
}

_libcrypto() {
	pkgdesc="Crypto library from openssl"
	replaces="libcrypto1.1"

	amove etc
	amove usr/lib/libcrypto*
	amove usr/lib/engines-$_abiver
	amove usr/lib/ossl-modules
}

_libssl() {
	pkgdesc="SSL shared libraries"
	depends="libcrypto$_abiver=$pkgver-r$pkgrel"

	amove usr/lib/libssl*
}

sha512sums="
0fa152ae59ab5ea066319de039dfb1d24cbb247172d7512feb5dd920db3740f219d76b0195ea562f84fe5eae36c23772302eddfbb3509df13761452b4dafb9d3  openssl-3.5.1.tar.gz
63f7b46f11c222d2c49200f252937516cbca0bfeb475f008a18ad1abeb1d73110ba7a0506898353c8c6c760c5cb446215da7c83a420afa57e0d73f7fb8c3af7a  auxv.patch
8c44e990fe8a820f649631b9f81cf28225b7516065169a7f68e2dd7c067b30df9b2c6cb88fa826afbc9fcdaf156360aabf7c498d2d9ed452968815b12b004809  man-section.patch
"
