# Contributor: Jesse Young # Maintainer: Natanael Copa pkgname=strongswan pkgver=5.8.4 _pkgver=${pkgver//_rc/rc} pkgrel=3 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="https://www.strongswan.org/" arch="all" pkgusers="ipsec" pkggroups="ipsec" license="GPL-2.0-or-later" depends="iproute2" makedepends="linux-headers python3 sqlite-dev openssl-dev curl-dev gmp-dev libcap-dev gettext-dev automake autoconf libtool" install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-dbg $pkgname-logfile $pkgname-openrc" source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2 https://download.strongswan.org/security/CVE-2021-41990/strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch https://download.strongswan.org/security/CVE-2021-41991/strongswan-4.4.1-5.9.3_cert-cache-random.patch 0001-file-logger-Set-owner-group-of-log-file.patch 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1002-vici-send-certificates-for-ike-sa-events.patch 1003-vici-add-support-for-individual-sa-state-changes.patch strongswan.initd charon.initd charon.logrotate charon-logfile.conf " # secfixes: # 5.8.4-r3: # - CVE-2021-41990 # - CVE-2021-41991 # 5.7.1-r0: # - CVE-2018-17540 # 5.7.0-r0: # - CVE-2018-16151 # - CVE-2018-16152 # 5.6.3-r0: # - CVE-2018-5388 # - CVE-2018-10811 # 5.5.3-r0: # - CVE-2017-9022 # - CVE-2017-9023 prepare() { default_prepare autoreconf -fiv } build() { # notes about configuration: # - try to keep options in ./configure --help order # - apk depends on openssl, so we use that # - openssl provides ciphers, randomness, etc # -> disable all redundant in-tree copies local _aesni= case "$CARCH" in x86_64) _aesni="--enable-aesni";; esac ./configure --prefix=/usr \ --sysconfdir=/etc \ --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan \ --with-capabilities=libcap \ --with-user=ipsec \ --with-group=ipsec \ --enable-curl \ --disable-ldap \ --disable-aes \ --disable-des \ --disable-rc2 \ --disable-md5 \ --disable-sha1 \ --disable-sha2 \ --enable-gmp \ --disable-hmac \ --disable-mysql \ --enable-sqlite \ --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-aka \ --enable-eap-aka-3gpp2 \ --enable-eap-simaka-pseudonym \ --enable-eap-simaka-reauth \ --enable-eap-identity \ --enable-eap-md5 \ --enable-eap-tls \ --disable-eap-gtc \ --enable-eap-mschapv2 \ --enable-eap-radius \ --enable-xauth-eap \ --enable-farp \ --enable-vici \ --enable-attr-sql \ --enable-dhcp \ --enable-openssl \ --enable-unity \ --enable-ha \ --enable-cmd \ --enable-swanctl \ --enable-shared \ --disable-static \ $_aesni make } package() { make DESTDIR="$pkgdir" install install -m755 -D "$srcdir/$pkgname.initd" "$pkgdir/etc/init.d/$pkgname" install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon" # for CRL caching chown ipsec:ipsec "$pkgdir"/etc/ipsec.d/crls "$pkgdir"/etc/swanctl/x509crl } logfile() { pkgdesc="Dedicated log file configuration for charon" depends=$pkgname install -m 644 -D charon.logrotate "$subpkgdir/etc/logrotate.d/charon" install -m 644 -D charon-logfile.conf \ "$subpkgdir/etc/strongswan.d/charon-logfile.conf" install -m 2750 -o ipsec -g wheel -d "$subpkgdir/var/log/ipsec" } sha512sums=" 15e866b0d6cc4ea94f17856b519d926ae08c15d3b62f675f62685d0722ca8fa26b46afb1ad1c866e9d5f347d77a747f57d0c6d7f6bd57762f37d7798f9e28103 strongswan-5.8.4.tar.bz2 42bb9dc02e04735183cb2966e23f26bdb2b14b56b10dc3df770cfbea066a690130ce84dc3a17b1369c2d45852bcd8a2902f19368099a1e71c858293decdb48ee strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch 39f607625bc6aa128b71e65e9806c60051015378d0250961bafbe787aa652141e1b3126d235b9cede08e4fe816b3220dbae54e40492b0aeb48f034220f1ee446 strongswan-4.4.1-5.9.3_cert-cache-random.patch 7ea3cecb6ed1d730b4417699715ec1f02f592848a7736448187c3fff8df7c194983021c370019a63cc56ee3cfec881e13e950ac31ba49a5ecae75abab64dbcfc 0001-file-logger-Set-owner-group-of-log-file.patch c829b59d33f5dcffd86fbc81d824b51397ed48dc94da6271ec2d7d70e5975cff0c13d235147f92e1981b391857d5573507972593fed0ce831968da10d119da0f 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch cdc8b9d56fbd7c079dfa37e8de822cfa925d3b6741ff7d04afbc8b856d717ed090750e85b19af2296e28ee030c2d91597d2492f4b9b3540a5647b120bf609556 1001-charon-add-optional-source-and-remote-overrides-for-.patch f92609a1f6810786baeae1688688cbdd2a3116200cdba8d23e13da08992f5280bcbe04712cc89402f1e39aff6f4ebc8da05a2529b1e61e25a5229deb74c4dc3f 1002-vici-send-certificates-for-ike-sa-events.patch da39b5654c6f39d175c5491dabd5ed5c1b552857af7cbe7eeb8d0ecb34dad265bb8cd7725930eb75ceb99d51813f8e59631e687b09c1ff5c6437388f5f4d9647 1003-vici-add-support-for-individual-sa-state-changes.patch 8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd 4ac8dc83f08998fe672d5446dc6071f95a6a437b9df7c19d5f1a41707fb44451ec37aa237d0b86b0a9edf36a9ce7c29ba8959a38b04536c994dd4300daf737e5 charon.initd 0417de0c0aa779602b216f29b1ad58cc842f0b0fbb8f5238d39199125dac30eaae89d869b337f8f504f8427f074ee7a363f55e3b3875516fe1ed5f0ed7f34c6f charon.logrotate 5896a9c5ecbef1a6c36b7bd31c83e18603f49105aedd4af80c42b0036c75950eac6e92abccfca09c9cb5bb3f3c4010f0daba068208e7dff05e7b1849d5a6e363 charon-logfile.conf "