This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via c648458609b87478266e691429131ed2c8d70f9a (commit) via 34daf4dbf8e4e5e4fb901f8dcece703480a1ac1f (commit) via 33590570fb5ea3bad3232d208d7515cf43fcd701 (commit) via d3527a38c16451d956c623901d11472ebbe47e98 (commit) via 36b1c19138f9936ae97fac4f94c443593702f22d (commit) from ec985733a532fb257e75fd75a10746fe9c8cfb80 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit c648458609b87478266e691429131ed2c8d70f9a Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 13 00:25:27 2013 +0100
strongswan: Delay sending DPD packets after rekeying.
commit 34daf4dbf8e4e5e4fb901f8dcece703480a1ac1f Merge: ec98573 3359057 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Nov 9 14:33:16 2013 +0100
Merge branch 'master' into next
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/73/filelists/files | 2 + html/cgi-bin/netinternal.cgi | 4 +- html/cgi-bin/proxy.cgi | 4 +- html/cgi-bin/vpnmain.cgi | 4 +- lfs/openssh | 4 +- lfs/squid | 7 +- lfs/strongswan | 1 + .../squid-3.3.10-optional-ssl-options.patch | 148 +++++++++++++++++++++ src/patches/strongswan-5.1.1-delay-dpd.patch | 35 +++++ 9 files changed, 199 insertions(+), 10 deletions(-) create mode 100644 src/patches/squid-3.3.10-optional-ssl-options.patch create mode 100644 src/patches/strongswan-5.1.1-delay-dpd.patch
Difference in files: diff --git a/config/rootfiles/core/73/filelists/files b/config/rootfiles/core/73/filelists/files index 6df851e..8ddb964 100644 --- a/config/rootfiles/core/73/filelists/files +++ b/config/rootfiles/core/73/filelists/files @@ -3,9 +3,11 @@ etc/issue etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/squid srv/web/ipfire/cgi-bin/logs.cgi/proxylog.dat +srv/web/ipfire/cgi-bin/netinternal.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/wirelessclient.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi srv/web/ipfire/html/redirect.cgi srv/web/ipfire/html/redirect-templates/ var/ipfire/header.pl diff --git a/html/cgi-bin/netinternal.cgi b/html/cgi-bin/netinternal.cgi index 60560f3..3f2fb56 100644 --- a/html/cgi-bin/netinternal.cgi +++ b/html/cgi-bin/netinternal.cgi @@ -61,8 +61,8 @@ if ( $querry[0] =~ /wireless/ ){ &Header::openbigbox('100%', 'left');
push (@graphs, ($netsettings{'GREEN_DEV'})); - if ($netsettings{'BLUE_DEV'}) {push (@graphs, ($netsettings{'BLUE_DEV'})); } - if ($netsettings{'ORANGE_DEV'}) {push (@graphs, ($netsettings{'ORANGE_DEV'})); } + if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {push (@graphs, ($netsettings{'BLUE_DEV'})); } + if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {push (@graphs, ($netsettings{'ORANGE_DEV'})); }
my @wirelessgraphs = `ls -dA /var/log/rrd/collectd/localhost/wireless* 2>/dev/null`; foreach (@wirelessgraphs){ diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 25e935b..6dd900f 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -180,8 +180,8 @@ close(FILE); &General::readhash("${General::swroot}/main/settings", %mainsettings);
my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); -my $blue_cidr = "# Blue not defined"; -if ($netsettings{'BLUE_DEV'}) { +my $blue_cidr = ""; +if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); }
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 58645c3..a40894e 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -61,11 +61,11 @@ my %mainsettings = ();
my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); my $blue_cidr = "# Blue not defined"; -if ($netsettings{'BLUE_DEV'}) { +if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); } my $orange_cidr = "# Orange not defined"; -if ($netsettings{'ORANGE_DEV'}) { +if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); }
diff --git a/lfs/openssh b/lfs/openssh index 3d4ef2f..17772c1 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@
include Config
-VER = 6.2p2 +VER = 6.4p1
THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = be46174dcbb77ebb4ea88ef140685de1 +$(DL_FILE)_MD5 = a62b88b884df0b09b8a8c5789ac9e51b
install : $(TARGET)
diff --git a/lfs/squid b/lfs/squid index bc0ef71..a341857 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 3.3.9 +VER = 3.3.10
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 6c4ba0d63c3a6d94de2da689f361cdab +$(DL_FILE)_MD5 = 28058812d722cac303517a643e28bcb0
install : $(TARGET)
@@ -70,6 +70,9 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) + + cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/squid-3.3.10-optional-ssl-options.patch + cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc/squid \ diff --git a/lfs/strongswan b/lfs/strongswan index 701e3c5..c7abf7a 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -82,6 +82,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.1.1-delay-dpd.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ diff --git a/src/patches/squid-3.3.10-optional-ssl-options.patch b/src/patches/squid-3.3.10-optional-ssl-options.patch new file mode 100644 index 0000000..f6a108c --- /dev/null +++ b/src/patches/squid-3.3.10-optional-ssl-options.patch @@ -0,0 +1,148 @@ +From: http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/13115 + +Committer: Christos Tsantilas +Date: 2013-11-07 10:46:14 UTC +Revision ID: chtsanti@users.sourceforge.net-20131107104614-s3a9kzlkgm7x9rhf + +http://bugs.squid-cache.org/show_bug.cgi?id=3936 +Bug 3936: error-details.txt parse error + +Squid fails parsing error-details.txt template when one or more listed OpenSSL +errors are not supported on running platform. +This patch add a hardcoded list of OpenSSL errors wich can be optional. + +This is a Measurement Factory project + +=== modified file 'src/ssl/ErrorDetail.cc' +--- src/ssl/ErrorDetail.cc 2013-07-31 00:13:04 +0000 ++++ src/ssl/ErrorDetail.cc 2013-11-07 10:46:14 +0000 +@@ -221,6 +221,31 @@ + {SSL_ERROR_NONE, NULL} + }; + ++static const char *OptionalSslErrors[] = { ++ "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER", ++ "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION", ++ "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN", ++ "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION", ++ "X509_V_ERR_INVALID_NON_CA", ++ "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED", ++ "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE", ++ "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED", ++ "X509_V_ERR_INVALID_EXTENSION", ++ "X509_V_ERR_INVALID_POLICY_EXTENSION", ++ "X509_V_ERR_NO_EXPLICIT_POLICY", ++ "X509_V_ERR_DIFFERENT_CRL_SCOPE", ++ "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE", ++ "X509_V_ERR_UNNESTED_RESOURCE", ++ "X509_V_ERR_PERMITTED_VIOLATION", ++ "X509_V_ERR_EXCLUDED_VIOLATION", ++ "X509_V_ERR_SUBTREE_MINMAX", ++ "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE", ++ "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX", ++ "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX", ++ "X509_V_ERR_CRL_PATH_VALIDATION_ERROR", ++ NULL ++}; ++ + struct SslErrorAlias { + const char *name; + const Ssl::ssl_error_t *errors; +@@ -331,6 +356,16 @@ + return NULL; + } + ++bool ++Ssl::ErrorIsOptional(const char *name) ++{ ++ for (int i = 0; OptionalSslErrors[i] != NULL; ++i) { ++ if (strcmp(name, OptionalSslErrors[i]) == 0) ++ return true; ++ } ++ return false; ++} ++ + const char * + Ssl::GetErrorDescr(Ssl::ssl_error_t value) + { + +=== modified file 'src/ssl/ErrorDetail.h' +--- src/ssl/ErrorDetail.h 2013-05-30 10:10:29 +0000 ++++ src/ssl/ErrorDetail.h 2013-11-07 10:46:14 +0000 +@@ -40,6 +40,14 @@ + + /** + \ingroup ServerProtocolSSLAPI ++ * Return true if the SSL error is optional and may not supported ++ * by current squid version ++ */ ++ ++bool ErrorIsOptional(const char *name); ++ ++/** ++ \ingroup ServerProtocolSSLAPI + * Used to pass SSL error details to the error pages returned to the + * end user. + */ + +=== modified file 'src/ssl/ErrorDetailManager.cc' +--- src/ssl/ErrorDetailManager.cc 2013-10-25 00:13:46 +0000 ++++ src/ssl/ErrorDetailManager.cc 2013-11-07 10:46:14 +0000 +@@ -218,32 +218,35 @@ + } + + Ssl::ssl_error_t ssl_error = Ssl::GetErrorCode(errorName.termedBuf()); +- if (ssl_error == SSL_ERROR_NONE) { ++ if (ssl_error != SSL_ERROR_NONE) { ++ ++ if (theDetails->getErrorDetail(ssl_error)) { ++ debugs(83, DBG_IMPORTANT, HERE << ++ "WARNING! duplicate entry: " << errorName); ++ return false; ++ } ++ ++ ErrorDetailEntry &entry = theDetails->theList[ssl_error]; ++ entry.error_no = ssl_error; ++ entry.name = errorName; ++ String tmp = parser.getByName("detail"); ++ httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail); ++ tmp = parser.getByName("descr"); ++ httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr); ++ bool parseOK = entry.descr.defined() && entry.detail.defined(); ++ ++ if (!parseOK) { ++ debugs(83, DBG_IMPORTANT, HERE << ++ "WARNING! missing important field for detail error: " << errorName); ++ return false; ++ } ++ ++ } else if (!Ssl::ErrorIsOptional(errorName.termedBuf())) { + debugs(83, DBG_IMPORTANT, HERE << + "WARNING! invalid error detail name: " << errorName); + return false; + } + +- if (theDetails->getErrorDetail(ssl_error)) { +- debugs(83, DBG_IMPORTANT, HERE << +- "WARNING! duplicate entry: " << errorName); +- return false; +- } +- +- ErrorDetailEntry &entry = theDetails->theList[ssl_error]; +- entry.error_no = ssl_error; +- entry.name = errorName; +- String tmp = parser.getByName("detail"); +- httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail); +- tmp = parser.getByName("descr"); +- httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr); +- bool parseOK = entry.descr.defined() && entry.detail.defined(); +- +- if (!parseOK) { +- debugs(83, DBG_IMPORTANT, HERE << +- "WARNING! missing imporant field for detail error: " << errorName); +- return false; +- } + }// else {only spaces and black lines; just ignore} + + buf.consume(size); + diff --git a/src/patches/strongswan-5.1.1-delay-dpd.patch b/src/patches/strongswan-5.1.1-delay-dpd.patch new file mode 100644 index 0000000..db3d664 --- /dev/null +++ b/src/patches/strongswan-5.1.1-delay-dpd.patch @@ -0,0 +1,35 @@ +From b76e96e2ef4d56c863b36c8d3c39e3c2efcf4a7c Mon Sep 17 00:00:00 2001 +From: Martin Willi martin@revosec.ch +Date: Fri, 1 Nov 2013 11:28:53 +0100 +Subject: [PATCH] ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying + +Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which +is perfectly valid. For short(er) DPD delays, this leads to the situation where +we send a DPD request during set_state(), but the IKE_SA has no hosts set yet. +Avoid that DPD by resetting the INBOUND timestamp during set_state(). +--- + src/libcharon/sa/ike_sa.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 0282087..d482f8b 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -687,6 +687,14 @@ METHOD(ike_sa_t, set_state, void, + DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t); + } + trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg); ++ if (trigger_dpd) ++ { ++ /* Some peers delay the DELETE after rekeying an IKE_SA. ++ * If this delay is longer than our DPD delay, we would ++ * send a DPD request here. The IKE_SA is not ready to do ++ * so yet, so prevent that. */ ++ this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED]; ++ } + } + break; + } +-- +1.7.4.1 +
hooks/post-receive -- IPFire 2.x development tree