# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=strongswan
pkgver=5.8.2
_pkgver=${pkgver//_rc/rc}
pkgrel=0
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="https://www.strongswan.org/"
arch="all"
pkgusers="ipsec"
pkggroups="ipsec"
license="GPL-2.0-or-later"
depends="iproute2"
makedepends="linux-headers python3 sqlite-dev openssl-dev curl-dev
	gmp-dev libcap-dev"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg $pkgname-openrc"
source="https://download.strongswan.org/strongswan-$_pkgver.tar.bz2
	0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
	1001-charon-add-optional-source-and-remote-overrides-for-.patch
	1002-vici-send-certificates-for-ike-sa-events.patch
	1003-vici-add-support-for-individual-sa-state-changes.patch

	strongswan.initd
	charon.initd
	"

# secfixes:
#   5.7.1-r0:
#     - CVE-2018-17540
#   5.7.0-r0:
#     - CVE-2018-16151
#     - CVE-2018-16152
#   5.6.3-r0:
#     - CVE-2018-5388
#     - CVE-2018-10811
#   5.5.3-r0:
#     - CVE-2017-9022
#     - CVE-2017-9023

prepare() {
	local i
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;;
		esac
	done

	if [ -n "$_err" ]; then
		error "The following patches failed:"
		for i in $_err; do
			echo "  $i"
		done
		return 1
	fi

	# the headers they ship conflicts with the real thing.
	#rm -r src/include/linux
}

build() {
	# notes about configuration:
	# - try to keep options in ./configure --help order
	# - apk depends on openssl, so we use that
	# - openssl provides ciphers, randomness, etc
	#   -> disable all redundant in-tree copies
	local _aesni=
	case "$CARCH" in
	x86_64) _aesni="--enable-aesni";;
	esac

	./configure --prefix=/usr \
		--sysconfdir=/etc \
		--libexecdir=/usr/lib \
		--with-ipsecdir=/usr/lib/strongswan \
		--with-capabilities=libcap \
		--with-user=ipsec \
		--with-group=ipsec \
		--enable-curl \
		--disable-ldap \
		--disable-aes \
		--disable-des \
		--disable-rc2 \
		--disable-md5 \
		--disable-sha1 \
		--disable-sha2 \
		--enable-gmp \
		--disable-hmac \
		--disable-mysql \
		--enable-sqlite \
		--enable-eap-sim \
		--enable-eap-sim-file \
		--enable-eap-aka \
		--enable-eap-aka-3gpp2 \
		--enable-eap-simaka-pseudonym \
		--enable-eap-simaka-reauth \
		--enable-eap-identity \
		--enable-eap-md5 \
		--enable-eap-tls \
		--disable-eap-gtc \
		--enable-eap-mschapv2 \
		--enable-eap-radius \
		--enable-xauth-eap \
		--enable-farp \
		--enable-vici \
		--enable-attr-sql \
		--enable-dhcp \
		--enable-openssl \
		--enable-unity \
		--enable-ha \
		--enable-cmd \
		--enable-swanctl \
		--enable-shared \
		--disable-static \
		$_aesni
	make
}

package() {
	make DESTDIR="$pkgdir" install
	install -m755 -D "$srcdir/$pkgname.initd" "$pkgdir/etc/init.d/$pkgname"
	install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon"

	# for CRL caching
	chown ipsec:ipsec "$pkgdir"/etc/ipsec.d/crls "$pkgdir"/etc/swanctl/x509crl
}

sha512sums="423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d  strongswan-5.8.2.tar.bz2
c829b59d33f5dcffd86fbc81d824b51397ed48dc94da6271ec2d7d70e5975cff0c13d235147f92e1981b391857d5573507972593fed0ce831968da10d119da0f  0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
cdc8b9d56fbd7c079dfa37e8de822cfa925d3b6741ff7d04afbc8b856d717ed090750e85b19af2296e28ee030c2d91597d2492f4b9b3540a5647b120bf609556  1001-charon-add-optional-source-and-remote-overrides-for-.patch
f92609a1f6810786baeae1688688cbdd2a3116200cdba8d23e13da08992f5280bcbe04712cc89402f1e39aff6f4ebc8da05a2529b1e61e25a5229deb74c4dc3f  1002-vici-send-certificates-for-ike-sa-events.patch
da39b5654c6f39d175c5491dabd5ed5c1b552857af7cbe7eeb8d0ecb34dad265bb8cd7725930eb75ceb99d51813f8e59631e687b09c1ff5c6437388f5f4d9647  1003-vici-add-support-for-individual-sa-state-changes.patch
8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9  strongswan.initd
4ac8dc83f08998fe672d5446dc6071f95a6a437b9df7c19d5f1a41707fb44451ec37aa237d0b86b0a9edf36a9ce7c29ba8959a38b04536c994dd4300daf737e5  charon.initd"
