main/ipsec-tools: fix for improving delete notify handling

the old one could crash under some rare circumstances (deleting responder mode ph1 in very early state). (cherry picked from commit 2ac5487348024387beb27a336ca96a7b8128e7d5)
author: Timo Teräs <timo.teras@iki.fi> 2010-11-15 09:33:00 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2010-11-22 10:29:34 +0000
commit: def1174c6d4b3419e2837290d01af522cd45e2c8 (patch)
tree: b3edf95fa4607f48304afef2d5648064f77a33c7 /main
parent: 32570beceea3579afbb472c1fce4c9332beeb525 (diff)
download: aports-def1174c6d4b3419e2837290d01af522cd45e2c8.tar.bz2
aports-def1174c6d4b3419e2837290d01af522cd45e2c8.tar.xz
2 files changed, 114 insertions, 2 deletions
diff --git a/main/ipsec-tools/99-purge-on-delete-fix.patch b/main/ipsec-tools/99-purge-on-delete-fix.patch
new file mode 100644
index 00000000..edcc28ac
--- /dev/null
+++ b/main/ipsec-tools/99-purge-on-delete-fix.patch
@@ -0,0 +1,110 @@
+Index: src/racoon/handler.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v
+retrieving revision 1.33
+diff -u -r1.33 handler.c
+--- a/src/racoon/handler.c	21 Oct 2010 06:04:33 -0000	1.33
++++ b/src/racoon/handler.c	15 Nov 2010 07:26:44 -0000
+@@ -514,6 +514,22 @@
+ 	LIST_INIT(&ph1tree);
+ }
+ 
++int
++ph1_rekey_enabled(iph1)
++	struct ph1handle *iph1;
++{
++	if (iph1->rmconf == NULL)
++		return 0;
++	if (iph1->rmconf->rekey == REKEY_FORCE)
++		return 1;
++#ifdef ENABLE_DPD
++	if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
++	    iph1->rmconf->dpd_interval)
++		return 1;
++#endif
++	return 0;
++}
++
+ /* %%% management phase 2 handler */
+ 
+ int
+Index: src/racoon/handler.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
+retrieving revision 1.24
+diff -u -r1.24 handler.h
+--- a/src/racoon/handler.h	12 Nov 2010 09:09:47 -0000	1.24
++++ b/src/racoon/handler.h	15 Nov 2010 07:26:44 -0000
+@@ -493,6 +493,7 @@
+ extern int resolveph1rmconf __P((struct ph1handle *));
+ extern void flushph1 __P((void));
+ extern void initph1tree __P((void));
++extern int ph1_rekey_enabled __P((struct ph1handle *));
+ 
+ extern int enumph2 __P((struct ph2selector *ph2sel,
+ 			int (* enum_func)(struct ph2handle *iph2, void *arg),
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.65
+diff -u -r1.65 isakmp.c
+--- a/src/racoon/isakmp.c	12 Nov 2010 10:36:37 -0000	1.65
++++ b/src/racoon/isakmp.c	15 Nov 2010 07:26:45 -0000
+@@ -766,20 +766,6 @@
+ 	return 0;
+ }
+ 
+-static int
+-ph1_rekey_enabled(iph1)
+-	struct ph1handle *iph1;
+-{
+-	if (iph1->rmconf->rekey == REKEY_FORCE)
+-		return 1;
+-#ifdef ENABLE_DPD
+-	if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
+-	    iph1->rmconf->dpd_interval)
+-		return 1;
+-#endif
+-	return 0;
+-}
+-
+ /*
+  * main function of phase 1.
+  */
+@@ -2081,11 +2067,9 @@
+ 		src, dst, isakmp_pindex(&iph1->index, 0));
+ 
+ 	evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
+-
+-	if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) {
+-		purge_remote(iph1);
++	if (new_iph1 == NULL && ph1_rekey_enabled(iph1))
+ 		script_hook(iph1, SCRIPT_PHASE1_DEAD);
+-	}
++
+ 	racoon_free(src);
+ 	racoon_free(dst);
+ 
+Index: src/racoon/isakmp_inf.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v
+retrieving revision 1.43
+diff -u -r1.43 isakmp_inf.c
+--- a/src/racoon/isakmp_inf.c	12 Nov 2010 09:09:47 -0000	1.43
++++ b/src/racoon/isakmp_inf.c	15 Nov 2010 07:26:45 -0000
+@@ -516,10 +516,12 @@
+ 			sched_cancel(&del_ph1->scr);
+ 
+ 			/*
+-			 * Do not delete IPsec SAs when receiving an IKE delete notification.
+-			 * Just delete the IKE SA.
++			 * Delete also IPsec-SAs if rekeying is enabled.
+ 			 */
+-			isakmp_ph1expire(del_ph1);
++			if (ph1_rekey_enabled(del_ph1))
++				purge_remote(del_ph1);
++			else
++				isakmp_ph1expire(del_ph1);
+ 		}
+ 		break;
+ 
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index 286144b6..26182b6b 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=ipsec-tools
 pkgver=0.8_alpha20101022
 _myver=0.8-alpha20101022
-pkgrel=2
+pkgrel=3
 pkgdesc="User-space IPsec tools for various IPsec implementations"
 url="http://ipsec-tools.sourceforge.net/"
 license="BSD"
@@ -18,6 +18,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
 	80-admin-big-reply-fix.patch
 	90-dpd-window-fix.patch
 	95-purge-on-delete-notify.patch
+	99-purge-on-delete-fix.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$_myver
@@ -65,4 +66,5 @@ md5sums="1492b83edc944b5d32d2eff51e33399e  ipsec-tools-0.8-alpha20101022.tar.gz
 2d5d24c4a3684a38584f88720f71c7d6  75-racoonctl-rcvbuf.patch
 c3898b162d284bc163f99cc52925b52a  80-admin-big-reply-fix.patch
 0391a6967ad19673588302bc8b17e0e2  90-dpd-window-fix.patch
-8bc73a15407564321c8f571b5656b28d  95-purge-on-delete-notify.patch"
+8bc73a15407564321c8f571b5656b28d  95-purge-on-delete-notify.patch
+e8bee665227335d75880cf3753d2279e  99-purge-on-delete-fix.patch"
author	Timo Teräs <timo.teras@iki.fi>	2010-11-15 09:33:00 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2010-11-22 10:29:34 +0000
commit	def1174c6d4b3419e2837290d01af522cd45e2c8 (patch)
tree	b3edf95fa4607f48304afef2d5648064f77a33c7 /main
parent	32570beceea3579afbb472c1fce4c9332beeb525 (diff)
download	aports-def1174c6d4b3419e2837290d01af522cd45e2c8.tar.bz2 aports-def1174c6d4b3419e2837290d01af522cd45e2c8.tar.xz