#!/usr/bin/make -f

export DEB_BUILD_MAINT_OPTIONS := hardening=+all

include /usr/share/dpkg/default.mk

# Uncomment this to turn on verbose mode.
# export DH_VERBOSE=1

# This has to be exported to make some magic below work.
export DH_OPTIONS

ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
  RUN_TESTS := yes
else
  RUN_TESTS :=
endif

ifeq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
  PARALLEL :=
else
  PARALLEL := \
	-j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
endif

ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
  CC := gcc
  PKG_CONFIG = pkg-config
else
  CC := $(DEB_HOST_GNU_TYPE)-gcc
  PKG_CONFIG = $(DEB_HOST_GNU_TYPE)-pkg-config
  RUN_TESTS :=
endif

# Change the version string to reflect distribution
SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//')

UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu))
ifeq ($(UBUNTU),yes)
DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
else
DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/games
endif
SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ifeq ($(UBUNTU),yes)
server_recommends := ssh-import-id
else
server_recommends :=
endif

# Common path configuration.
confflags += --sysconfdir=/etc/ssh
confflags += --libexecdir=\$${prefix}/lib/openssh

# Common build options.
confflags += --disable-strip
confflags += --with-mantype=doc
confflags += --with-4in6
confflags += --with-privsep-path=/run/sshd
confflags += --with-pid-dir=/run

# The Hurd needs libcrypt for res_query et al.
ifeq ($(DEB_HOST_ARCH_OS),hurd)
confflags += --with-libs=-lcrypt
endif

# Everything above here is common to the deb and udeb builds.
confflags_udeb := $(confflags)

# Options specific to the deb build.
confflags += --with-tcp-wrappers
confflags += --with-pam
confflags += --with-libedit
confflags += --with-kerberos5=/usr
confflags += --with-ssl-engine
ifeq ($(DEB_HOST_ARCH_OS),linux)
confflags += --with-selinux
confflags += --with-audit=linux
confflags += --with-systemd
confflags += --with-security-key-builtin
endif

# The deb build wants xauth; the udeb build doesn't.
confflags += --with-xauth=/usr/bin/xauth
confflags_udeb += --without-xauth

# Default paths. The udeb build has /usr/games removed.
confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH)
confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Compiler flags.
cflags := $(CPPFLAGS) $(CFLAGS)
cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
cflags_udeb := -Os
cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
confflags += --with-cflags='$(cflags)'
confflags_udeb += --with-cflags='$(cflags_udeb)'

# Linker flags.
confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))'
confflags_udeb += --with-ldflags='-Wl,--as-needed'

ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes) $(DEB_HOST_ARCH), yes i386)
  BUILD_PACKAGES += -Nopenssh-tests
endif

%:
	dh $@ --with=runit $(BUILD_PACKAGES)

override_dh_autoreconf-indep:

override_dh_auto_configure-arch:
	dh_auto_configure -Bdebian/build-deb -- $(confflags)
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
	dh_auto_configure -Bdebian/build-udeb -- $(confflags_udeb)
	# Avoid libnsl linkage. Ugh.
	perl -pi -e 's/ +-lnsl//' debian/build-udeb/config.status
	cd debian/build-udeb && ./config.status
endif

override_dh_auto_configure-indep:

override_dh_auto_build-arch:
	$(MAKE) -C debian/build-deb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
	$(MAKE) -C debian/build-deb regress-prep
	$(MAKE) -C debian/build-deb $(PARALLEL) regress-binaries regress-unit-binaries
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
	$(MAKE) -C debian/build-udeb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen
endif

ifeq ($(filter pkg.openssh.nognome,$(DEB_BUILD_PROFILES)),)
	$(MAKE) -C contrib gnome-ssh-askpass3 CC='$(CC) $(CPPFLAGS) $(CFLAGS) -Wall -Wl,--as-needed $(LDFLAGS)' PKG_CONFIG=$(PKG_CONFIG)
endif

override_dh_auto_build-indep:

override_dh_auto_test-arch:
ifeq ($(RUN_TESTS),yes)
	$(MAKE) -C debian/build-deb unit compat-tests
	$(MAKE) -C debian/keygen-test
endif

override_dh_auto_test-indep:

override_dh_auto_clean:
	rm -rf debian/build-deb debian/build-udeb
ifeq ($(RUN_TESTS),yes)
	$(MAKE) -C debian/keygen-test clean
endif
	$(MAKE) -C contrib clean

override_dh_auto_install-arch:
	$(MAKE) -C debian/build-deb DESTDIR=`pwd`/debian/tmp install-nokeys

override_dh_auto_install-indep:

override_dh_install-arch:
	# Remove version control tags to avoid unnecessary conffile
	# resolution steps for administrators.
	sed -i '/\$$OpenBSD:/d' \
		debian/tmp/etc/ssh/moduli \
		debian/tmp/etc/ssh/ssh_config \
		debian/tmp/etc/ssh/sshd_config

	dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
	dh_install -popenssh-client-udeb -popenssh-server-udeb \
		--sourcedir=debian/build-udeb
endif

	# This can't be done using dh_link, because it's needed earlier by
	# dh_installalternatives.
	ln -sf ssh debian/openssh-client/usr/bin/slogin

override_dh_installdocs:
	dh_installdocs -Nopenssh-server -Nopenssh-sftp-server
	dh_installdocs -popenssh-server -popenssh-sftp-server \
		--link-doc=openssh-client
	# Avoid breaking dh_installexamples later.
	mkdir -p debian/openssh-server/usr/share/doc/openssh-client

override_dh_installinit:
	dh_installinit -R --name ssh

override_dh_installsystemd:
	dh_installsystemd -popenssh-server --no-start ssh.socket
	dh_installsystemd -popenssh-server rescue-ssh.target
	dh_installsystemd -popenssh-server --no-enable --no-start ssh.service

debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
ifeq ($(DEB_HOST_ARCH_OS),linux)
	sed 's/^@IF_KEYINIT@//' $< > $@
else
	sed '/^@IF_KEYINIT@/d' $< > $@
endif

override_dh_installpam: debian/openssh-server.sshd.pam
	dh_installpam --name sshd

override_dh_runit:
	dh_runit -popenssh-server

execute_after_dh_fixperms-arch:
	chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign

# Tighten libssl dependencies to match the check in entropy.c.
execute_after_dh_shlibdeps:
	debian/adjust-openssl-dependencies

override_dh_gencontrol:
	dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)'
