#!/usr/bin/make -f
export DEB_LDFLAGS_MAINT_APPEND=-Wl,-O1
#export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
export DEB_BUILD_MAINT_OPTIONS=hardening=+all

# DANOS specific: disable signal handler, to obtain vanilla cores
export DEB_CFLAGS_MAINT_APPEND=-DDISABLE_SIGNAL_HANDLER

# get DEB_VERSION_UPSTERAM
include /usr/share/dpkg/pkg-info.mk

CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
		--enable-addrblock \
		--enable-agent \
		--enable-bypass-lan \
		--enable-ccm \
		--enable-certexpire \
		--enable-chapoly \
		--enable-cmd \
		--enable-ctr \
		--enable-curl \
		--enable-eap-aka \
		--enable-eap-gtc \
		--enable-eap-identity \
		--enable-eap-md5 \
		--enable-eap-mschapv2 \
		--enable-eap-radius \
		--enable-eap-tls \
		--enable-eap-tnc \
		--enable-eap-ttls \
		--enable-error-notify \
		--enable-gcm \
		--enable-gcrypt \
		--enable-ha \
		--enable-kernel-libipsec \
		--enable-ldap \
		--enable-led \
		--enable-lookip \
		--enable-mediation \
		--enable-openssl \
		--enable-pkcs11 \
		--enable-test-vectors \
		--enable-tpm \
		--enable-unity \
		--enable-xauth-eap \
		--enable-xauth-pam \
		--disable-blowfish \
		--disable-fast \
		--disable-des # BSD-Young license
	#--with-user=strongswan --with-group=nogroup
	#	--enable-kernel-pfkey --enable-kernel-klips \
	# And for --enable-eap-sim we would need the library, which we don't
	# have right now.
	# Don't --enable-cisco-quirks, because some other IPsec implementations
	# (most notably the Phion one) have problems connecting when pluto
	# sends these Cisco options.
	# don't enable medsrv/medcli right now (20160523) since clearsilver FTBFS
	#--enable-medsrv --enable-medcli \

# get the various DEB_BUILD/DEB_HOST variables
include /usr/share/dpkg/architecture.mk

# the padlock plugin only makes sense on i386
# AESNI and RdRand only make sense on i386 and amd64
ifeq ($(DEB_HOST_ARCH_CPU),i386)
  CONFIGUREARGS += --enable-padlock --enable-rdrand --enable-aesni
endif

ifeq ($(DEB_HOST_ARCH_CPU),amd64)
  CONFIGUREARGS += --enable-rdrand --enable-aesni
endif

ifeq ($(DEB_HOST_ARCH_OS),linux)
	# only enable network-manager and capabilities dropping on linux hosts
	# some plugins are linux-only too
	CONFIGUREARGS += --enable-nm \
		--with-nm-ca-dir=/etc/ssl/certs \
		--with-capabilities=libcap \
		--enable-farp \
		--enable-dhcp \
		--enable-af-alg \
		--enable-connmark \
		--enable-systemd --enable-swanctl
endif

ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
	# recommended configure line for FreeBSD
	# http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
	CONFIGUREARGS += --disable-kernel-netlink \
		--enable-kernel-pfkey --enable-kernel-pfroute \
		--with-group=wheel
endif

# Additional options for DANOS
CONFIGUREARGS += --with-routing-table=254 \
	--with-routing-table-prio=32766 \
	--disable-aes --enable-python-eggs \
	--enable-ext-auth \
	--enable-ext-fetcher \
	--enable-vici \
	--disable-aesni \
	--disable-gmp \
	--disable-bypass-lan \
	--disable-chapoly \
	--disable-tpm \
	--disable-drbg \
	--enable-load-tester
export PYTHON=python3


override_dh_auto_configure:
	dh_auto_configure -- $(CONFIGUREARGS)

override_dh_auto_clean:
	dh_auto_clean
	# after a make clean, no binaries _should_ be left, but ....
	-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm

	# Really clean (#356716)
	# This is a hack: should be better implemented
	rm -f lib/libstrongswan/libstrongswan.a || true
	rm -f lib/libstrongswan/liboswlog.a || true

	# just in case something went wrong
	rm -f $(CURDIR)/debian/ipsec.secrets

	# and make sure that template are up-to-date
	debconf-updatepo


override_dh_install-arch:
	# remove all .la files
	find debian/tmp/usr/lib -name '*.la' -delete

	# first special cases
ifeq ($(DEB_HOST_ARCH_OS),linux)
	# handle Linux-only plugins
	dh_install -p libstrongswan-standard-plugins usr/lib/ipsec/plugins/libstrongswan-connmark.so
	dh_install -p libstrongswan-standard-plugins usr/share/strongswan/templates/config/plugins/connmark.conf
	dh_install -p libstrongswan-standard-plugins etc/strongswan.d/charon/connmark.conf
	dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-dhcp.so
	dh_install -p libcharon-extra-plugins usr/share/strongswan/templates/config/plugins/dhcp.conf
	dh_install -p libcharon-extra-plugins etc/strongswan.d/charon/dhcp.conf

	dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-farp.so
	dh_install -p libcharon-extra-plugins usr/share/strongswan/templates/config/plugins/farp.conf
	dh_install -p libcharon-extra-plugins etc/strongswan.d/charon/farp.conf

	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
	dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/kernel-netlink.conf
	dh_install -p libstrongswan etc/strongswan.d/charon/kernel-netlink.conf

	dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-af-alg.so
	dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/af-alg.conf
	dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/af-alg.conf
	# the systemd service file only gets generated on Linux
	#dh_install -p strongswan-starter lib/systemd/system/strongswan-starter.service
	rm -f debian/tmp/lib/systemd/system/strongswan-starter.service
	# XFRM is Linux only
	dh_install -p strongswan-libcharon usr/lib/ipsec/xfrmi
endif

ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
	# handle FreeBSD-only plugins
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so
	dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/kernel-pfkey.conf
	dh_install -p libstrongswan etc/strongswan.d/charon/kernel-pfkey.conf

	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so
	dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/kernel-pfroute.conf
	dh_install -p libstrongswan etc/strongswan.d/charon/kernel-pfroute.conf
endif

ifeq ($(DEB_HOST_ARCH_CPU),i386)
	# special handling for padlock, as it is only built on i386
	dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-padlock.so
	dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/padlock.conf
	dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/padlock.conf

	dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
	dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/rdrand.conf
	dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/rdrand.conf

# DANOS: OpenSSL only.
#	dh_install -p libstrongswan-standard-plugins usr/lib/ipsec/plugins/libstrongswan-aesni.so
#	dh_install -p libstrongswan-standard-plugins usr/share/strongswan/templates/config/plugins/aesni.conf
#	dh_install -p libstrongswan-standard-plugins etc/strongswan.d/charon/aesni.conf
endif

ifeq ($(DEB_HOST_ARCH_CPU), amd64)
	dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
	dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/rdrand.conf
	dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/rdrand.conf

# DANOS: OpenSSL only.
#	dh_install -p libstrongswan-standard-plugins usr/lib/ipsec/plugins/libstrongswan-aesni.so
#	dh_install -p libstrongswan-standard-plugins usr/share/strongswan/templates/config/plugins/aesni.conf
#	dh_install -p libstrongswan-standard-plugins etc/strongswan.d/charon/aesni.conf
endif

	# python VICI
	cd $(CURDIR)/src/libcharon/plugins/vici/python/ && $(PYTHON) setup.py install --install-layout=deb --root=$(CURDIR)/debian/python3-vici
	rm -rf $(CURDIR)/debian/python3-vici/usr/lib/python*/dist-packages/vici-*.egg-info/
	rm -rf $(CURDIR)/debian/python3-vici/usr/lib/python*/dist-packages/vici/__pycache__/

# DANOS: libcharon and libstrongswan dev packages
	mkdir -p $(CURDIR)/debian/tmp/usr/include/strongswan
	cp -rf $(CURDIR)/src/libcharon/ $(CURDIR)/debian/tmp/usr/include/strongswan
	cp -rf $(CURDIR)/src/libipsec/ $(CURDIR)/debian/tmp/usr/include/strongswan
	cp -rf $(CURDIR)/src/libstrongswan/ $(CURDIR)/debian/tmp/usr/include/strongswan
	find $(CURDIR)/debian/tmp/usr/include/strongswan -type f ! -name "*.h" -delete
	find $(CURDIR)/debian/tmp/usr/include/strongswan -type d -name ".libs" | xargs --no-run-if-empty rm -rf
	mkdir -p $(CURDIR)/debian/tmp/usr/share/pkgconfig
	sed "s/@VERSION@/$(DEB_VERSION_UPSTREAM)/g" $(CURDIR)/debian/libstrongswan.pc.in > $(CURDIR)/debian/tmp/usr/share/pkgconfig/libstrongswan.pc
	sed "s/@VERSION@/$(DEB_VERSION_UPSTREAM)/g" $(CURDIR)/debian/libcharon.pc.in > $(CURDIR)/debian/tmp/usr/share/pkgconfig/libcharon.pc
	sed "s/@VERSION@/$(DEB_VERSION_UPSTREAM)/g" $(CURDIR)/debian/libipsec.pc.in > $(CURDIR)/debian/tmp/usr/share/pkgconfig/libipsec.pc

	# then install the rest, ignoring the above
	dh_install \
		-X\.la -X\.a \
		-Xmedsrv -Xman3 \
		-Xlibstrongswan-connmark.so -X connmark.conf \
		-Xlibstrongswan-kernel- -X kernel- \
		-Xlibstrongswan-dhcp.so -X dhcp.conf \
		-Xlibstrongswan-farp.so -X farp.conf \
		-Xlibstrongswan-padlock.so -X padlock.conf \
		-Xlibstrongswan-rdrand.so -X rdrand.conf \
		-Xlibstrongswan-af-alg.so -X af-alg.conf \
		-Xstrongswan-starter.service

# DANOS: OpenSSL only.
#		-Xlibstrongswan-aesni.so -X aesni.conf \

	# AppArmor.
	dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon
	dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins
	dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter
	dh_apparmor --profile-name=usr.sbin.swanctl -p strongswan-swanctl
	dh_apparmor --profile-name=usr.sbin.charon-systemd -p charon-systemd

	# add additional files not covered by upstream makefile...
	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets

	# set permissions on ipsec.secrets and private key directories
	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/
	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/bliss/
	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/ecdsa/
	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/pkcs8/
	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/private/
	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/rsa/

	# this is handled by update-rc.d
	rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d

	# delete var/lock/subsys and var/run to satisfy lintian
	rm -rf $(CURDIR)/debian/openswan/var/lock
	rm -rf $(CURDIR)/debian/openswan/var/run

	# more lintian cleanups
	find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f
	find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf

override_dh_installinit:
	# DANOS: don't enable sysvinit script
	dh_installinit -n --name=ipsec

override_dh_installchangelogs:
	dh_installchangelogs NEWS

override_dh_fixperms:
	dh_fixperms \
		-X etc/ipsec.d \
		-X etc/ipsec.secrets \
		-X etc/swanctl/bliss \
		-X etc/swanctl/ecdsa \
		-X etc/swanctl/pkcs8 \
		-X etc/swanctl/private \
		-X etc/swanctl/rsa \
		-X var/lib/strongswan

override_dh_makeshlibs:
	dh_makeshlibs -n -X usr/lib/ipsec/plugins

override_dh_installlogcheck:
	dh_installlogcheck --name strongswan

ifeq ($(HOME),/home/salsa-ci)
override_dh_auto_test: export TESTS_SUITES_EXCLUDE=http fetcher, stream
endif
override_dh_auto_test:
ifeq ($(DEB_BUILD_ARCH),amd64)
	dh_auto_test
endif

override_dh_missing-arch:
	dh_missing --fail-missing

override_dh_missing-indep:
	dh_missing --list-missing

%:
	dh $@ --parallel --with autoreconf,python3
