This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 54206b6e35cacf20218addcbaaaf50029afd6e69 (commit) via 4d7f9a81ac575207edb6bb69f8bbea8762feab96 (commit) from b84a9b078dae234641a3708fbd7c1624c0731468 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 54206b6e35cacf20218addcbaaaf50029afd6e69 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 19 14:12:29 2015 +0000

curl: Fix certificate validation

curl did not find the certificate bundle so that server certificates could not be verified.

Fixes #10995

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 4d7f9a81ac575207edb6bb69f8bbea8762feab96 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 19 14:09:10 2015 +0000

strongswan: Update to 5.3.5

Also ships a fix for #853 upstream.

Fixes #10998

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: .../{oldcore/92 => core/96}/filelists/curl | 0 lfs/curl | 5 +- lfs/strongswan | 5 +- ...n-event-when-deleting-redundant-CHILD_SAs.patch | 56 ++++++++++++++++++++++ 4 files changed, 63 insertions(+), 3 deletions(-) copy config/rootfiles/{oldcore/92 => core/96}/filelists/curl (100%) create mode 100644 src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch

Difference in files: diff --git a/config/rootfiles/core/96/filelists/curl b/config/rootfiles/core/96/filelists/curl new file mode 120000 index 0000000..4b84bef --- /dev/null +++ b/config/rootfiles/core/96/filelists/curl @@ -0,0 +1 @@ +../../../common/curl \ No newline at end of file diff --git a/lfs/curl b/lfs/curl index 7de9aa3..29de280 100644 --- a/lfs/curl +++ b/lfs/curl @@ -70,7 +70,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xvf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr --disable-ipv6 + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-ipv6 \ + --with-ca-bundle=/etc/ssl/certs/ca-bundle.crt cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install # Create symlink to new curl lib for old binaries diff --git a/lfs/strongswan b/lfs/strongswan index 566f1af..c6d655b 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@

include Config

-VER = 5.3.4 +VER = 5.3.5

THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 655a632a515c74a99f2e9cc337ab2f33 +$(DL_FILE)_MD5 = a2f9ea185f27e7f8413d4cd2ee61efe4

install : $(TARGET)

@@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch

cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch new file mode 100644 index 0000000..27b6f06 --- /dev/null +++ b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch @@ -0,0 +1,56 @@ +From 0e32cbc0bc8fce3319491db360fb23b16561ec58 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner tobias@strongswan.org +Date: Tue, 15 Dec 2015 17:15:32 +0100 +Subject: [PATCH] child-rekey: Suppress updown event when deleting redundant + CHILD_SAs + +When handling a rekey collision we might have to delete an already +installed redundant CHILD_SA (or expect the other peer to do so). We don't +want to trigger updown events for these as we don't during rekeying. + +Instead of setting the state to CHILD_REKEYING we could maybe use +CHILD_REKEYED, which we currently only use for IKEv1, and set it for +all CHILD_SAs we delete or expect the other peer to delete. Would need +a small change in child-delete too. Or we could introduce a new state. + + #853. +--- + src/libcharon/sa/ikev2/tasks/child_rekey.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c +index c7a8a13..6f0c2b2 100644 +--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c +@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) + /* don't touch child other created, it has already been deleted */ + if (!this->other_child_destroyed) + { +- /* disable close action for the redundand child */ ++ /* disable close action and updown event for redundant child */ + child_sa = other->child_create->get_child(other->child_create); + if (child_sa) + { + child_sa->set_close_action(child_sa, ACTION_NONE); ++ if (child_sa->get_state(child_sa) != CHILD_REKEYING) ++ { ++ child_sa->set_state(child_sa, CHILD_REKEYING); ++ } + } + } + } +@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t, + { + return SUCCESS; + } ++ /* disable updown event for redundant CHILD_SA */ ++ if (to_delete->get_state(to_delete) != CHILD_REKEYING) ++ { ++ to_delete->set_state(to_delete, CHILD_REKEYING); ++ } + spi = to_delete->get_spi(to_delete, TRUE); + protocol = to_delete->get_protocol(to_delete); + +-- +1.7.9.5 +

hooks/post-receive -- IPFire 2.x development tree