diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2010-11-15 09:33:00 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2010-11-22 10:29:34 +0000 |
| commit | def1174c6d4b3419e2837290d01af522cd45e2c8 (patch) | |
| tree | b3edf95fa4607f48304afef2d5648064f77a33c7 | |
| parent | 32570beceea3579afbb472c1fce4c9332beeb525 (diff) | |
| download | aports-def1174c6d4b3419e2837290d01af522cd45e2c8.tar.bz2 aports-def1174c6d4b3419e2837290d01af522cd45e2c8.tar.xz | |
main/ipsec-tools: fix for improving delete notify handling
the old one could crash under some rare circumstances (deleting
responder mode ph1 in very early state).
(cherry picked from commit 2ac5487348024387beb27a336ca96a7b8128e7d5)
| -rw-r--r-- | main/ipsec-tools/99-purge-on-delete-fix.patch | 110 | ||||
| -rw-r--r-- | main/ipsec-tools/APKBUILD | 6 |
2 files changed, 114 insertions, 2 deletions
diff --git a/main/ipsec-tools/99-purge-on-delete-fix.patch b/main/ipsec-tools/99-purge-on-delete-fix.patch new file mode 100644 index 000000000..edcc28ac8 --- /dev/null +++ b/main/ipsec-tools/99-purge-on-delete-fix.patch @@ -0,0 +1,110 @@ +Index: src/racoon/handler.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v +retrieving revision 1.33 +diff -u -r1.33 handler.c +--- a/src/racoon/handler.c 21 Oct 2010 06:04:33 -0000 1.33 ++++ b/src/racoon/handler.c 15 Nov 2010 07:26:44 -0000 +@@ -514,6 +514,22 @@ + LIST_INIT(&ph1tree); + } + ++int ++ph1_rekey_enabled(iph1) ++ struct ph1handle *iph1; ++{ ++ if (iph1->rmconf == NULL) ++ return 0; ++ if (iph1->rmconf->rekey == REKEY_FORCE) ++ return 1; ++#ifdef ENABLE_DPD ++ if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && ++ iph1->rmconf->dpd_interval) ++ return 1; ++#endif ++ return 0; ++} ++ + /* %%% management phase 2 handler */ + + int +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.24 +diff -u -r1.24 handler.h +--- a/src/racoon/handler.h 12 Nov 2010 09:09:47 -0000 1.24 ++++ b/src/racoon/handler.h 15 Nov 2010 07:26:44 -0000 +@@ -493,6 +493,7 @@ + extern int resolveph1rmconf __P((struct ph1handle *)); + extern void flushph1 __P((void)); + extern void initph1tree __P((void)); ++extern int ph1_rekey_enabled __P((struct ph1handle *)); + + extern int enumph2 __P((struct ph2selector *ph2sel, + int (* enum_func)(struct ph2handle *iph2, void *arg), +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.65 +diff -u -r1.65 isakmp.c +--- a/src/racoon/isakmp.c 12 Nov 2010 10:36:37 -0000 1.65 ++++ b/src/racoon/isakmp.c 15 Nov 2010 07:26:45 -0000 +@@ -766,20 +766,6 @@ + return 0; + } + +-static int +-ph1_rekey_enabled(iph1) +- struct ph1handle *iph1; +-{ +- if (iph1->rmconf->rekey == REKEY_FORCE) +- return 1; +-#ifdef ENABLE_DPD +- if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && +- iph1->rmconf->dpd_interval) +- return 1; +-#endif +- return 0; +-} +- + /* + * main function of phase 1. + */ +@@ -2081,11 +2067,9 @@ + src, dst, isakmp_pindex(&iph1->index, 0)); + + evt_phase1(iph1, EVT_PHASE1_DOWN, NULL); +- +- if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) { +- purge_remote(iph1); ++ if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) + script_hook(iph1, SCRIPT_PHASE1_DEAD); +- } ++ + racoon_free(src); + racoon_free(dst); + +Index: src/racoon/isakmp_inf.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v +retrieving revision 1.43 +diff -u -r1.43 isakmp_inf.c +--- a/src/racoon/isakmp_inf.c 12 Nov 2010 09:09:47 -0000 1.43 ++++ b/src/racoon/isakmp_inf.c 15 Nov 2010 07:26:45 -0000 +@@ -516,10 +516,12 @@ + sched_cancel(&del_ph1->scr); + + /* +- * Do not delete IPsec SAs when receiving an IKE delete notification. +- * Just delete the IKE SA. ++ * Delete also IPsec-SAs if rekeying is enabled. + */ +- isakmp_ph1expire(del_ph1); ++ if (ph1_rekey_enabled(del_ph1)) ++ purge_remote(del_ph1); ++ else ++ isakmp_ph1expire(del_ph1); + } + break; + diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index 286144b66..26182b6b9 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -2,7 +2,7 @@ pkgname=ipsec-tools pkgver=0.8_alpha20101022 _myver=0.8-alpha20101022 -pkgrel=2 +pkgrel=3 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" license="BSD" @@ -18,6 +18,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz 80-admin-big-reply-fix.patch 90-dpd-window-fix.patch 95-purge-on-delete-notify.patch + 99-purge-on-delete-fix.patch " _builddir="$srcdir"/$pkgname-$_myver @@ -65,4 +66,5 @@ md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz 2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch 0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch -8bc73a15407564321c8f571b5656b28d 95-purge-on-delete-notify.patch" +8bc73a15407564321c8f571b5656b28d 95-purge-on-delete-notify.patch +e8bee665227335d75880cf3753d2279e 99-purge-on-delete-fix.patch" |