Merge remote-tracking branch 'origin/next' into fifteen
authorArne Fitzenreiter <arne_f@ipfire.org>
Wed, 13 Nov 2013 13:05:15 +0000 (14:05 +0100)
committerArne Fitzenreiter <arne_f@ipfire.org>
Wed, 13 Nov 2013 13:05:15 +0000 (14:05 +0100)
Conflicts:
lfs/samba
lfs/strongswan

config/rootfiles/common/i586/strongswan-padlock
config/rootfiles/common/strongswan
lfs/samba
lfs/strongswan
src/patches/strongswan-5.1.1-delay-dpd.patch [new file with mode: 0644]

index 02aa457..4ebfc75 100644 (file)
@@ -1 +1,2 @@
 usr/lib/ipsec/plugins/libstrongswan-padlock.so
+usr/lib/ipsec/plugins/libstrongswan-rdrand.so
index da94336..732e327 100644 (file)
@@ -75,6 +75,7 @@ usr/lib/ipsec/plugins/libstrongswan-sha2.so
 usr/lib/ipsec/plugins/libstrongswan-socket-default.so
 usr/lib/ipsec/plugins/libstrongswan-sshkey.so
 usr/lib/ipsec/plugins/libstrongswan-stroke.so
+usr/lib/ipsec/plugins/libstrongswan-unity.so
 usr/lib/ipsec/plugins/libstrongswan-updown.so
 usr/lib/ipsec/plugins/libstrongswan-x509.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
index ce53eba..aa635d1 100644 (file)
--- a/lfs/samba
+++ b/lfs/samba
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.6.19
+VER        = 3.6.20
 
 THISAPP    = samba-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 53
+PAK_VER    = 54
 
 DEPS       = "cups"
 
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = afe9c7c590f3093555cd6e870d2532e1
+$(DL_FILE)_MD5 = 3f1b60c681845ce6828a1abe5aacf671
 
 install : $(TARGET)
 
index f573cd8..948db5b 100644 (file)
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.1.1dr4
+VER        = 5.1.1
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -33,9 +33,13 @@ DIR_APP    = $(DIR_SRC)/strongswan-$(VER)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
 ifeq "$(MACHINE)" "i586"
-       PADLOCK = --enable-padlock
+       CONFIGURE_OPTIONS = \
+               --enable-padlock \
+               --enable-rdrand
 else
-       PADLOCK = --disable-padlock
+       CONFIGURE_OPTIONS = \
+               --disable-padlock \
+               --disable-rdrand
 endif
 
 ###############################################################################
@@ -46,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 05899faa9b8a8f253474af809b283ef9
+$(DL_FILE)_MD5 = e3af3d493d22286be3cd794533a8966a
 
 install : $(TARGET)
 
@@ -77,6 +81,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.1.1-delay-dpd.patch
 
        cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh
        cd $(DIR_APP) && ./configure \
@@ -91,9 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
                --enable-eap-peap \
                --enable-eap-mschapv2 \
                --enable-eap-identity \
-               $(PADLOCK)
+               --enable-unity \
+               $(CONFIGURE_OPTIONS)
 
-       cd $(DIR_APP) && make $(MAKETUNING) LDFLAGS="-lrt"
+       cd $(DIR_APP) && make $(MAKETUNING)
        cd $(DIR_APP) && make install
 
        # Remove all library files we don't want or need.
diff --git a/src/patches/strongswan-5.1.1-delay-dpd.patch b/src/patches/strongswan-5.1.1-delay-dpd.patch
new file mode 100644 (file)
index 0000000..db3d664
--- /dev/null
@@ -0,0 +1,35 @@
+From b76e96e2ef4d56c863b36c8d3c39e3c2efcf4a7c Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Fri, 1 Nov 2013 11:28:53 +0100
+Subject: [PATCH] ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
+
+Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
+is perfectly valid. For short(er) DPD delays, this leads to the situation where
+we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
+Avoid that DPD by resetting the INBOUND timestamp during set_state().
+---
+ src/libcharon/sa/ike_sa.c |    8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
+index 0282087..d482f8b 100644
+--- a/src/libcharon/sa/ike_sa.c
++++ b/src/libcharon/sa/ike_sa.c
+@@ -687,6 +687,14 @@ METHOD(ike_sa_t, set_state, void,
+                                       DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
+                               }
+                               trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
++                              if (trigger_dpd)
++                              {
++                                      /* Some peers delay the DELETE after rekeying an IKE_SA.
++                                       * If this delay is longer than our DPD delay, we would
++                                       * send a DPD request here. The IKE_SA is not ready to do
++                                       * so yet, so prevent that. */
++                                      this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
++                              }
+                       }
+                       break;
+               }
+-- 
+1.7.4.1
+