From: Michael Tremer Date: Sat, 19 Dec 2015 14:09:10 +0000 (+0000) Subject: strongswan: Update to 5.3.5 X-Git-Url: http://git.ipfire.org/?p=people%2Fjschlag%2Fipfire-2.x.git;a=commitdiff_plain;h=4d7f9a81ac575207edb6bb69f8bbea8762feab96 strongswan: Update to 5.3.5 Also ships a fix for #853 upstream. Fixes #10998 Signed-off-by: Michael Tremer --- diff --git a/lfs/strongswan b/lfs/strongswan index 566f1afd1f..c6d655bb24 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.3.4 +VER = 5.3.5 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 655a632a515c74a99f2e9cc337ab2f33 +$(DL_FILE)_MD5 = a2f9ea185f27e7f8413d4cd2ee61efe4 install : $(TARGET) @@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch new file mode 100644 index 0000000000..27b6f069e2 --- /dev/null +++ b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch @@ -0,0 +1,56 @@ +From 0e32cbc0bc8fce3319491db360fb23b16561ec58 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 15 Dec 2015 17:15:32 +0100 +Subject: [PATCH] child-rekey: Suppress updown event when deleting redundant + CHILD_SAs + +When handling a rekey collision we might have to delete an already +installed redundant CHILD_SA (or expect the other peer to do so). We don't +want to trigger updown events for these as we don't during rekeying. + +Instead of setting the state to CHILD_REKEYING we could maybe use +CHILD_REKEYED, which we currently only use for IKEv1, and set it for +all CHILD_SAs we delete or expect the other peer to delete. Would need +a small change in child-delete too. Or we could introduce a new state. + + #853. +--- + src/libcharon/sa/ikev2/tasks/child_rekey.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c +index c7a8a13..6f0c2b2 100644 +--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c +@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) + /* don't touch child other created, it has already been deleted */ + if (!this->other_child_destroyed) + { +- /* disable close action for the redundand child */ ++ /* disable close action and updown event for redundant child */ + child_sa = other->child_create->get_child(other->child_create); + if (child_sa) + { + child_sa->set_close_action(child_sa, ACTION_NONE); ++ if (child_sa->get_state(child_sa) != CHILD_REKEYING) ++ { ++ child_sa->set_state(child_sa, CHILD_REKEYING); ++ } + } + } + } +@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t, + { + return SUCCESS; + } ++ /* disable updown event for redundant CHILD_SA */ ++ if (to_delete->get_state(to_delete) != CHILD_REKEYING) ++ { ++ to_delete->set_state(to_delete, CHILD_REKEYING); ++ } + spi = to_delete->get_spi(to_delete, TRUE); + protocol = to_delete->get_protocol(to_delete); + +-- +1.7.9.5 +