include Config
-VER = 5.3.4
+VER = 5.3.5
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 655a632a515c74a99f2e9cc337ab2f33
+$(DL_FILE)_MD5 = a2f9ea185f27e7f8413d4cd2ee61efe4
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
--- /dev/null
+From 0e32cbc0bc8fce3319491db360fb23b16561ec58 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 15 Dec 2015 17:15:32 +0100
+Subject: [PATCH] child-rekey: Suppress updown event when deleting redundant
+ CHILD_SAs
+
+When handling a rekey collision we might have to delete an already
+installed redundant CHILD_SA (or expect the other peer to do so). We don't
+want to trigger updown events for these as we don't during rekeying.
+
+Instead of setting the state to CHILD_REKEYING we could maybe use
+CHILD_REKEYED, which we currently only use for IKEv1, and set it for
+all CHILD_SAs we delete or expect the other peer to delete. Would need
+a small change in child-delete too. Or we could introduce a new state.
+
+ #853.
+---
+ src/libcharon/sa/ikev2/tasks/child_rekey.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
+index c7a8a13..6f0c2b2 100644
+--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
++++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
+@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
+ /* don't touch child other created, it has already been deleted */
+ if (!this->other_child_destroyed)
+ {
+- /* disable close action for the redundand child */
++ /* disable close action and updown event for redundant child */
+ child_sa = other->child_create->get_child(other->child_create);
+ if (child_sa)
+ {
+ child_sa->set_close_action(child_sa, ACTION_NONE);
++ if (child_sa->get_state(child_sa) != CHILD_REKEYING)
++ {
++ child_sa->set_state(child_sa, CHILD_REKEYING);
++ }
+ }
+ }
+ }
+@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t,
+ {
+ return SUCCESS;
+ }
++ /* disable updown event for redundant CHILD_SA */
++ if (to_delete->get_state(to_delete) != CHILD_REKEYING)
++ {
++ to_delete->set_state(to_delete, CHILD_REKEYING);
++ }
+ spi = to_delete->get_spi(to_delete, TRUE);
+ protocol = to_delete->get_protocol(to_delete);
+
+--
+1.7.9.5
+
projects / ipfire-2.x.git / commitdiff
