# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=strongswan
pkgver=5.5.3
_pkgver=${pkgver//_rc/rc}
pkgrel=3
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
pkgusers="ipsec"
pkggroups="ipsec"
license="GPL2 RSA-MD5 RSA-PKCS11 DES"
depends="iproute2"
depends_dev=""
makedepends="$depends_dev linux-headers python2 sqlite-dev libressl-dev curl-dev
	gmp-dev libcap-dev"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg"
source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
	0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
	1001-charon-add-optional-source-and-remote-overrides-for-.patch
	1002-vici-send-certificates-for-ike-sa-events.patch
	1003-vici-add-support-for-individual-sa-state-changes.patch
	2001-support-gre-key-in-ikev1.patch
	libressl.patch
	CVE-2017-11185.patch
	CVE-2018-16151-CVE-2018-16152.patch
	strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch

	strongswan.initd
	charon.initd"

_builddir="$srcdir/$pkgname-$_pkgver"

# secfixes:
#   5.5.3-r3:
#     - CVE-2018-17540
#   5.5.3-r2:
#     - CVE-2018-16151
#     - CVE-2018-16152
#   5.5.3-r1:
#     - CVE-2017-11185
#   5.5.3-r0:
#     - CVE-2017-9022
#     - CVE-2017-9023

prepare() {
	local i
	cd "$srcdir/$pkgname-$_pkgver"
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;;
		esac
	done

	if [ -n "$_err" ]; then
		error "The following patches failed:"
		for i in $_err; do
			echo "  $i"
		done
		return 1
	fi

	# the headers they ship conflicts with the real thing.
	#rm -r src/include/linux
}

build() {
	cd "$_builddir"

	# notes about configuration:
	# - try to keep options in ./configure --help order
	# - apk depends on openssl, so we use that
	# - openssl provides ciphers, randomness, etc
	#   -> disable all redundant in-tree copies

	./configure --prefix=/usr \
		--sysconfdir=/etc \
		--libexecdir=/usr/lib \
		--with-ipsecdir=/usr/lib/strongswan \
		--with-capabilities=libcap \
		--with-user=ipsec \
		--with-group=ipsec \
		--enable-curl \
		--disable-ldap \
		--disable-aes \
		--disable-des \
		--disable-rc2 \
		--disable-md5 \
		--disable-sha1 \
		--disable-sha2 \
		--enable-gmp \
		--disable-hmac \
		--disable-mysql \
		--enable-sqlite \
		--enable-eap-sim \
		--enable-eap-sim-file \
		--enable-eap-aka \
		--enable-eap-aka-3gpp2 \
		--enable-eap-simaka-pseudonym \
		--enable-eap-simaka-reauth \
		--enable-eap-identity \
		--enable-eap-md5 \
		--enable-eap-tls \
		--disable-eap-gtc \
		--enable-eap-mschapv2 \
		--enable-eap-radius \
		--enable-xauth-eap \
		--enable-farp \
		--enable-vici \
		--enable-attr-sql \
		--enable-dhcp \
		--enable-openssl \
		--enable-unity \
		--enable-ha \
		--enable-cmd \
		--enable-swanctl \
		--enable-shared \
		--disable-static \
		|| return 1
	make || return 1
}

package() {
	cd "$_builddir"
	make DESTDIR="$pkgdir" install || return 1
	install -m755 -D "$srcdir/$pkgname.initd" "$pkgdir/etc/init.d/$pkgname" || return 1
	install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon" || return 1
}

md5sums="4afffe3c219bb2e04f09510905af836b  strongswan-5.5.3.tar.bz2
0a82059a9bd45d7a189864843560afe9  0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
ac8283bc5a9615236c864d5aaeb38063  1001-charon-add-optional-source-and-remote-overrides-for-.patch
db486619b3f2efcd1a3e889567a04bbb  1002-vici-send-certificates-for-ike-sa-events.patch
ae81f5bbd7534137830a3e732d04b892  1003-vici-add-support-for-individual-sa-state-changes.patch
97bb0e061ba1576bab0e053afc2a4a72  2001-support-gre-key-in-ikev1.patch
360c16bcd6c03505b4f3ca308dd4932d  libressl.patch
5676d26b3fb36a2529b5b53e1f2a992a  CVE-2017-11185.patch
16ce55395c1d9923cfa40f319cea8b11  CVE-2018-16151-CVE-2018-16152.patch
7bcc1c21d4674cd8c2da6e0a535b72b5  strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
72a956819c451931d3d31a528a0d1b9c  strongswan.initd
a7993f28e4eacc61f51722044645587e  charon.initd"
sha256sums="c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4  strongswan-5.5.3.tar.bz2
89934062b4d400019752bb8140a60dacd832e4be7e86e7f573397bc56f87109e  0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
8825cb9a1061e446c9398643820009a06de3696ebc9526ef44c534dc19fbdeea  1001-charon-add-optional-source-and-remote-overrides-for-.patch
1bdd981188cfdc676814b978c44857cc773eb7c400b50dbc6effcf8bec559bfe  1002-vici-send-certificates-for-ike-sa-events.patch
671adf916dd031b0cf1b1622f1948fd80fec46618a99af7b874d841c17f0409a  1003-vici-add-support-for-individual-sa-state-changes.patch
f038cadddde9f0ea2f36df03f81445b2f6a6d6b09cf4a21bfcdb61c62706a66b  2001-support-gre-key-in-ikev1.patch
c2e94e169bd5923fe90f4cfdd2568b0bc6accd8fb9c1a32a07e795dd8a3fe7f9  libressl.patch
c80e02c9a5eeaf10f0a8bdde3be6375dd2833e515af03dad3a700e93c4fd041a  CVE-2017-11185.patch
aa6c89a8f677fe6521e33286fffc1020eddab14e9a2d291033239eaddabb20da  CVE-2018-16151-CVE-2018-16152.patch
415d104717cb0781770e9077d00b3df310b11e65e4b9c1d35b62fbba04549263  strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
fdb781fa59700ca83b9fd2f2ff0b9c45467448ebd82da96286b3e2aa477ef7f4  strongswan.initd
7bcc57e4a778f87645c6b9d76ba2c04e1c11c326bc9a4968561788711c7fe58a  charon.initd"
sha512sums="0b0b25d2102c98cda54300dc8c3c3a49a55e64f7c695dda65a24f2194f19bce0b7aab9e4f7486c243b552f9d1a94867d6a8782ee504aad1c9973809706d599ac  strongswan-5.5.3.tar.bz2
768a144be4c84395bc28b91e509c8319521d68a9eae0a5d5ff96830bf8cf3154bce046d2128d1aba092bb5d3d2dceb35296c13778294f88a14c2267865766db1  0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
df5673107ea15dae28276b1cbc2a0d995d9a210c9c73ee478cb0f4eba0e3ef76856708119a5ebdf59637c2830ca8e30adf294d09e3eeef5514890d8ebc7c47b4  1001-charon-add-optional-source-and-remote-overrides-for-.patch
0dd637cc6ee89646c05d0345757fbfb26f4c0e2103d8eaafeb248b98bcc972ce5171081b7da7c9b974c92abb3f452180271767fb997171ac08b73880650e566b  1002-vici-send-certificates-for-ike-sa-events.patch
d92ec44ac03c3eabe7583c01b15c66c9286681f42cf1d6ced3e1096c27c174014e14112610d2e12c8ccf6c2d8c1a5242e10e2520d41995f8aac145bd603facfc  1003-vici-add-support-for-individual-sa-state-changes.patch
1544a409ad08f46a5dffbe3b4e8cf0e973c58140bf225f7c4e9b29be7fe6178f63d73730d1b2f7a755ed0d5dc09ee9fa0a08ac35761b01c5914d9bde1044ce7a  2001-support-gre-key-in-ikev1.patch
8cc4e28a07c4f206d7838a20cd1fdab7cd82bc19a3916ed65f1c5acf6acecd7ea54f582f7b2f164aded96e49fdc2db5ace70f426a93fcc08f29d658c79069ad4  libressl.patch
276bcbd0cd3c550ddd4b3f5dfbcb490bb1e50ec8ed97789944409e3c05232903b99332c653cec9c9cf46eab445fd67113d1babef32156b1a5c77a68d2b83260b  CVE-2017-11185.patch
db64485fc0679a7fe32f3a69ae52e9e29abb6988ec900f07c350a61663321f7a5ffdfcb6c3371feb24923599a07d5a50bfbe1a72266666bf0a49a77631f92076  CVE-2018-16151-CVE-2018-16152.patch
3e620641400aaf01c9df4b069548d593fcc728f870c49abbe22128866eeaf4092740620e2d72bd90ded24a6ee5263778a835991f777a24d149d4bed6b9f509f8  strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9  strongswan.initd
1c44c801f66305c0331f76e580c0d60f1b7d5cd3cc371be55826b06c3899f542664628a912a7fb48626e34d864f72ca5dcd34b2f0d507c4f19c510d0047054c1  charon.initd"