blob: ce5627350f1b51ceb13ed449e07995818ce303de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=strongswan
pkgver=5.5.3
_pkgver=${pkgver//_rc/rc}
pkgrel=3
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
pkgusers="ipsec"
pkggroups="ipsec"
license="GPL2 RSA-MD5 RSA-PKCS11 DES"
depends="iproute2"
depends_dev=""
makedepends="$depends_dev linux-headers python2 sqlite-dev libressl-dev curl-dev
gmp-dev libcap-dev"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg"
source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
1001-charon-add-optional-source-and-remote-overrides-for-.patch
1002-vici-send-certificates-for-ike-sa-events.patch
1003-vici-add-support-for-individual-sa-state-changes.patch
2001-support-gre-key-in-ikev1.patch
libressl.patch
CVE-2017-11185.patch
CVE-2018-16151-CVE-2018-16152.patch
strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
strongswan.initd
charon.initd"
_builddir="$srcdir/$pkgname-$_pkgver"
# secfixes:
# 5.5.3-r3:
# - CVE-2018-17540
# 5.5.3-r2:
# - CVE-2018-16151
# - CVE-2018-16152
# 5.5.3-r1:
# - CVE-2017-11185
# 5.5.3-r0:
# - CVE-2017-9022
# - CVE-2017-9023
prepare() {
local i
cd "$srcdir/$pkgname-$_pkgver"
for i in $source; do
case $i in
*.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;;
esac
done
if [ -n "$_err" ]; then
error "The following patches failed:"
for i in $_err; do
echo " $i"
done
return 1
fi
# the headers they ship conflicts with the real thing.
#rm -r src/include/linux
}
build() {
cd "$_builddir"
# notes about configuration:
# - try to keep options in ./configure --help order
# - apk depends on openssl, so we use that
# - openssl provides ciphers, randomness, etc
# -> disable all redundant in-tree copies
./configure --prefix=/usr \
--sysconfdir=/etc \
--libexecdir=/usr/lib \
--with-ipsecdir=/usr/lib/strongswan \
--with-capabilities=libcap \
--with-user=ipsec \
--with-group=ipsec \
--enable-curl \
--disable-ldap \
--disable-aes \
--disable-des \
--disable-rc2 \
--disable-md5 \
--disable-sha1 \
--disable-sha2 \
--enable-gmp \
--disable-hmac \
--disable-mysql \
--enable-sqlite \
--enable-eap-sim \
--enable-eap-sim-file \
--enable-eap-aka \
--enable-eap-aka-3gpp2 \
--enable-eap-simaka-pseudonym \
--enable-eap-simaka-reauth \
--enable-eap-identity \
--enable-eap-md5 \
--enable-eap-tls \
--disable-eap-gtc \
--enable-eap-mschapv2 \
--enable-eap-radius \
--enable-xauth-eap \
--enable-farp \
--enable-vici \
--enable-attr-sql \
--enable-dhcp \
--enable-openssl \
--enable-unity \
--enable-ha \
--enable-cmd \
--enable-swanctl \
--enable-shared \
--disable-static \
|| return 1
make || return 1
}
package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
install -m755 -D "$srcdir/$pkgname.initd" "$pkgdir/etc/init.d/$pkgname" || return 1
install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon" || return 1
}
md5sums="4afffe3c219bb2e04f09510905af836b strongswan-5.5.3.tar.bz2
0a82059a9bd45d7a189864843560afe9 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
ac8283bc5a9615236c864d5aaeb38063 1001-charon-add-optional-source-and-remote-overrides-for-.patch
db486619b3f2efcd1a3e889567a04bbb 1002-vici-send-certificates-for-ike-sa-events.patch
ae81f5bbd7534137830a3e732d04b892 1003-vici-add-support-for-individual-sa-state-changes.patch
97bb0e061ba1576bab0e053afc2a4a72 2001-support-gre-key-in-ikev1.patch
360c16bcd6c03505b4f3ca308dd4932d libressl.patch
5676d26b3fb36a2529b5b53e1f2a992a CVE-2017-11185.patch
16ce55395c1d9923cfa40f319cea8b11 CVE-2018-16151-CVE-2018-16152.patch
7bcc1c21d4674cd8c2da6e0a535b72b5 strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
72a956819c451931d3d31a528a0d1b9c strongswan.initd
a7993f28e4eacc61f51722044645587e charon.initd"
sha256sums="c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4 strongswan-5.5.3.tar.bz2
89934062b4d400019752bb8140a60dacd832e4be7e86e7f573397bc56f87109e 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
8825cb9a1061e446c9398643820009a06de3696ebc9526ef44c534dc19fbdeea 1001-charon-add-optional-source-and-remote-overrides-for-.patch
1bdd981188cfdc676814b978c44857cc773eb7c400b50dbc6effcf8bec559bfe 1002-vici-send-certificates-for-ike-sa-events.patch
671adf916dd031b0cf1b1622f1948fd80fec46618a99af7b874d841c17f0409a 1003-vici-add-support-for-individual-sa-state-changes.patch
f038cadddde9f0ea2f36df03f81445b2f6a6d6b09cf4a21bfcdb61c62706a66b 2001-support-gre-key-in-ikev1.patch
c2e94e169bd5923fe90f4cfdd2568b0bc6accd8fb9c1a32a07e795dd8a3fe7f9 libressl.patch
c80e02c9a5eeaf10f0a8bdde3be6375dd2833e515af03dad3a700e93c4fd041a CVE-2017-11185.patch
aa6c89a8f677fe6521e33286fffc1020eddab14e9a2d291033239eaddabb20da CVE-2018-16151-CVE-2018-16152.patch
415d104717cb0781770e9077d00b3df310b11e65e4b9c1d35b62fbba04549263 strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
fdb781fa59700ca83b9fd2f2ff0b9c45467448ebd82da96286b3e2aa477ef7f4 strongswan.initd
7bcc57e4a778f87645c6b9d76ba2c04e1c11c326bc9a4968561788711c7fe58a charon.initd"
sha512sums="0b0b25d2102c98cda54300dc8c3c3a49a55e64f7c695dda65a24f2194f19bce0b7aab9e4f7486c243b552f9d1a94867d6a8782ee504aad1c9973809706d599ac strongswan-5.5.3.tar.bz2
768a144be4c84395bc28b91e509c8319521d68a9eae0a5d5ff96830bf8cf3154bce046d2128d1aba092bb5d3d2dceb35296c13778294f88a14c2267865766db1 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
df5673107ea15dae28276b1cbc2a0d995d9a210c9c73ee478cb0f4eba0e3ef76856708119a5ebdf59637c2830ca8e30adf294d09e3eeef5514890d8ebc7c47b4 1001-charon-add-optional-source-and-remote-overrides-for-.patch
0dd637cc6ee89646c05d0345757fbfb26f4c0e2103d8eaafeb248b98bcc972ce5171081b7da7c9b974c92abb3f452180271767fb997171ac08b73880650e566b 1002-vici-send-certificates-for-ike-sa-events.patch
d92ec44ac03c3eabe7583c01b15c66c9286681f42cf1d6ced3e1096c27c174014e14112610d2e12c8ccf6c2d8c1a5242e10e2520d41995f8aac145bd603facfc 1003-vici-add-support-for-individual-sa-state-changes.patch
1544a409ad08f46a5dffbe3b4e8cf0e973c58140bf225f7c4e9b29be7fe6178f63d73730d1b2f7a755ed0d5dc09ee9fa0a08ac35761b01c5914d9bde1044ce7a 2001-support-gre-key-in-ikev1.patch
8cc4e28a07c4f206d7838a20cd1fdab7cd82bc19a3916ed65f1c5acf6acecd7ea54f582f7b2f164aded96e49fdc2db5ace70f426a93fcc08f29d658c79069ad4 libressl.patch
276bcbd0cd3c550ddd4b3f5dfbcb490bb1e50ec8ed97789944409e3c05232903b99332c653cec9c9cf46eab445fd67113d1babef32156b1a5c77a68d2b83260b CVE-2017-11185.patch
db64485fc0679a7fe32f3a69ae52e9e29abb6988ec900f07c350a61663321f7a5ffdfcb6c3371feb24923599a07d5a50bfbe1a72266666bf0a49a77631f92076 CVE-2018-16151-CVE-2018-16152.patch
3e620641400aaf01c9df4b069548d593fcc728f870c49abbe22128866eeaf4092740620e2d72bd90ded24a6ee5263778a835991f777a24d149d4bed6b9f509f8 strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd
1c44c801f66305c0331f76e580c0d60f1b7d5cd3cc371be55826b06c3899f542664628a912a7fb48626e34d864f72ca5dcd34b2f0d507c4f19c510d0047054c1 charon.initd"
|
