# Contributor: Jesse Young # Maintainer: Natanael Copa pkgname=strongswan pkgver=5.8.1 _pkgver=${pkgver//_rc/rc} pkgrel=0 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="https://www.strongswan.org/" arch="all" pkgusers="ipsec" pkggroups="ipsec" license="GPL-2.0-or-later" depends="iproute2" makedepends="linux-headers python3 sqlite-dev openssl-dev curl-dev gmp-dev libcap-dev" install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-dbg $pkgname-openrc" source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2 strongswan.initd charon.initd " # secfixes: # 5.7.1-r0: # - CVE-2018-17540 # 5.7.0-r0: # - CVE-2018-16151 # - CVE-2018-16152 # 5.6.3-r0: # - CVE-2018-5388 # - CVE-2018-10811 # 5.5.3-r0: # - CVE-2017-9022 # - CVE-2017-9023 prepare() { local i cd "$builddir" for i in $source; do case $i in *.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;; esac done if [ -n "$_err" ]; then error "The following patches failed:" for i in $_err; do echo " $i" done return 1 fi # the headers they ship conflicts with the real thing. #rm -r src/include/linux } build() { cd "$builddir" # notes about configuration: # - try to keep options in ./configure --help order # - apk depends on openssl, so we use that # - openssl provides ciphers, randomness, etc # -> disable all redundant in-tree copies local _aesni= case "$CARCH" in x86_64) _aesni="--enable-aesni";; esac ./configure --prefix=/usr \ --sysconfdir=/etc \ --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan \ --with-capabilities=libcap \ --with-user=ipsec \ --with-group=ipsec \ --enable-curl \ --disable-ldap \ --disable-aes \ --disable-des \ --disable-rc2 \ --disable-md5 \ --disable-sha1 \ --disable-sha2 \ --enable-gmp \ --disable-hmac \ --disable-mysql \ --enable-sqlite \ --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-aka \ --enable-eap-aka-3gpp2 \ --enable-eap-simaka-pseudonym \ --enable-eap-simaka-reauth \ --enable-eap-identity \ --enable-eap-md5 \ --enable-eap-tls \ --disable-eap-gtc \ --enable-eap-mschapv2 \ --enable-eap-radius \ --enable-xauth-eap \ --enable-farp \ --enable-vici \ --enable-attr-sql \ --enable-dhcp \ --enable-openssl \ --enable-unity \ --enable-ha \ --enable-cmd \ --enable-swanctl \ --enable-shared \ --disable-static \ $_aesni make } package() { cd "$builddir" make DESTDIR="$pkgdir" install install -m755 -D "$srcdir/$pkgname.initd" "$pkgdir/etc/init.d/$pkgname" install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon" # for CRL caching chown ipsec:ipsec "$pkgdir"/etc/ipsec.d/crls "$pkgdir"/etc/swanctl/x509crl } sha512sums="630d24643b3d61e931bb25cdd083ad3c55f92fe41f3fcd3198012eee486fb3b1a16dc3f80936162afb7da9e471d45d92b7d183a00153a558babb2a79e5f6813f strongswan-5.8.1.tar.bz2 8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd 4ac8dc83f08998fe672d5446dc6071f95a6a437b9df7c19d5f1a41707fb44451ec37aa237d0b86b0a9edf36a9ce7c29ba8959a38b04536c994dd4300daf737e5 charon.initd"