# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=strongswan
pkgver=5.6.3
_pkgver=${pkgver//_rc/rc}
pkgrel=4
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="https://www.strongswan.org/"
arch="all"
pkgusers="ipsec"
pkggroups="ipsec"
license="GPL-2.0 RSA-MD5 RSA-PKCS11 DES"
depends="iproute2"
depends_dev=""
makedepends="$depends_dev linux-headers python2 sqlite-dev libressl-dev curl-dev
	gmp-dev libcap-dev"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg"
source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
	0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
	1001-charon-add-optional-source-and-remote-overrides-for-.patch
	1002-vici-send-certificates-for-ike-sa-events.patch
	1003-vici-add-support-for-individual-sa-state-changes.patch
	libressl-fix.patch
	CVE-2018-16151-CVE-2018-16152.patch
	strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch

	strongswan.initd
	charon.initd
	"
builddir="$srcdir/$pkgname-$_pkgver"

# secfixes:
#   5.6.3-r3:
#     - CVE-2018-17540
#   5.6.3-r2:
#     - CVE-2018-16151
#     - CVE-2018-16152
#   5.6.3-r0:
#     - CVE-2018-5388
#     - CVE-2018-10811
#   5.5.3-r0:
#     - CVE-2017-9022
#     - CVE-2017-9023

prepare() {
	local i
	cd "$builddir"
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;;
		esac
	done

	if [ -n "$_err" ]; then
		error "The following patches failed:"
		for i in $_err; do
			echo "  $i"
		done
		return 1
	fi

	# the headers they ship conflicts with the real thing.
	#rm -r src/include/linux
}

build() {
	cd "$builddir"

	# notes about configuration:
	# - try to keep options in ./configure --help order
	# - apk depends on openssl, so we use that
	# - openssl provides ciphers, randomness, etc
	#   -> disable all redundant in-tree copies

	./configure --prefix=/usr \
		--sysconfdir=/etc \
		--libexecdir=/usr/lib \
		--with-ipsecdir=/usr/lib/strongswan \
		--with-capabilities=libcap \
		--with-user=ipsec \
		--with-group=ipsec \
		--enable-curl \
		--disable-ldap \
		--disable-aes \
		--disable-des \
		--disable-rc2 \
		--disable-md5 \
		--disable-sha1 \
		--disable-sha2 \
		--enable-gmp \
		--disable-hmac \
		--disable-mysql \
		--enable-sqlite \
		--enable-eap-sim \
		--enable-eap-sim-file \
		--enable-eap-aka \
		--enable-eap-aka-3gpp2 \
		--enable-eap-simaka-pseudonym \
		--enable-eap-simaka-reauth \
		--enable-eap-identity \
		--enable-eap-md5 \
		--enable-eap-tls \
		--disable-eap-gtc \
		--enable-eap-mschapv2 \
		--enable-eap-radius \
		--enable-xauth-eap \
		--enable-farp \
		--enable-vici \
		--enable-attr-sql \
		--enable-dhcp \
		--enable-openssl \
		--enable-unity \
		--enable-ha \
		--enable-cmd \
		--enable-swanctl \
		--enable-shared \
		--disable-static
	make
}

package() {
	cd "$builddir"
	make DESTDIR="$pkgdir" install
	install -m755 -D "$srcdir/$pkgname.initd" "$pkgdir/etc/init.d/$pkgname"
	install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon"
}

sha512sums="080402640952b1a08e95bfe9c7f33c6a7dd01ac401b5e7e2e78257c0f2bf0a4d6078141232ac62abfacef892c493f6824948b3165d54d72b4e436ed564fd2609  strongswan-5.6.3.tar.bz2
193d845e2751c23d98cdf84134c7803f2e412197669c6d6c1c9974041608d154b85594ed3d9ffb923ca22a4d5926c7f2373787ddc7da47b52019e284a1d13211  0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
21db8f153f535ef13cc7c9c011f9b90b8c794e0072bd93fda6a0a56dc00d32d04e186b1a72a87a85613b7e511eed5cb96623abf0721c67dd5c96446db969a185  1001-charon-add-optional-source-and-remote-overrides-for-.patch
f7d98fb99b4855e8bfbb7369292c170536b1987e717feeda71f64ab71b35538e7d462609a773c6a6ed08c8e6ee7a186df12e1ea7d64b9dac0b17d4c7af17dab3  1002-vici-send-certificates-for-ike-sa-events.patch
a4235cd07e17ad3441dc391ded11ee9f4debdffa1e8218809731e73a545ca6fcdc0bb87239d41b1102b0b6719a4d31d43758972d2193ebe298b275285de2ce54  1003-vici-add-support-for-individual-sa-state-changes.patch
7e3164bf49c583d1908644e9dc8aee57e17021265ae8a0c8d44b6e6798b8af270a66708eeee05600c8d6a0dd3bd8ab6cf5d7b238464acab68bd7a668e8a4e379  libressl-fix.patch
27a6352e71e192dde2e740d0f1958565635b07b827194ffb49c1d763c0b1db2ff52cad165a43057f6ee9fee133b88aec36391cd418da9e85766b2d64a96c5bc1  CVE-2018-16151-CVE-2018-16152.patch
3e620641400aaf01c9df4b069548d593fcc728f870c49abbe22128866eeaf4092740620e2d72bd90ded24a6ee5263778a835991f777a24d149d4bed6b9f509f8  strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9  strongswan.initd
81a4a011c933289562ee53b4ff14c5180f2a1198aab517fa0e9e2b66c3deac0d6a26f2cfdbadd070ec518de19b6c56df10122c724d205bca5d4c96478081fa00  charon.initd"