rpms/ipsec-tools/devel ipsec-tools-0.7-acquires.patch, NONE, 1.1 ipsec-tools-0.7-libs.patch, NONE, 1.1 ipsec-tools-0.7-loopback.patch, NONE, 1.1 .cvsignore, 1.11, 1.12 ipsec-tools.spec, 1.42, 1.43 sources, 1.11, 1.12 ipsec-tools-0.2.4-racoon-dest.patch, 1.2, NONE ipsec-tools-0.2.5-verifycb.patch, 1.1, NONE ipsec-tools-0.3.3-stdin.patch, 1.1, NONE ipsec-tools-0.5-64bit.patch, 1.2, NONE ipsec-tools-0.5-libs.patch, 1.1, NONE ipsec-tools-0.6.1-openssl-098.patch, 1.2, NONE ipsec-tools-0.6.5-CVE-2007-1841.patch, 1.1, NONE ipsec-tools-0.6.5-acquires.patch, 1.1, NONE ipsec-tools-0.6.5-context-increase.patch, 1.1, NONE ipsec-tools-0.6.5-ctx.patch, 1.1, NONE ipsec-tools-0.6.5-leak.patch, 1.2, NONE ipsec-tools-0.6.5-loopback.patch, 1.1, NONE ipsec-tools-0.6.5-mls.patch, 1.1, NONE ipsec-tools-fix.diff, 1.1, NONE racoon-lspp-ipsec.patch, 1.2, NONE
Steve Conklin (sconklin)
fedora-extras-commits at redhat.com
Wed Aug 29 04:05:30 UTC 2007
Author: sconklin
Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4051
Modified Files:
.cvsignore ipsec-tools.spec sources
Added Files:
ipsec-tools-0.7-acquires.patch ipsec-tools-0.7-libs.patch
ipsec-tools-0.7-loopback.patch
Removed Files:
ipsec-tools-0.2.4-racoon-dest.patch
ipsec-tools-0.2.5-verifycb.patch ipsec-tools-0.3.3-stdin.patch
ipsec-tools-0.5-64bit.patch ipsec-tools-0.5-libs.patch
ipsec-tools-0.6.1-openssl-098.patch
ipsec-tools-0.6.5-CVE-2007-1841.patch
ipsec-tools-0.6.5-acquires.patch
ipsec-tools-0.6.5-context-increase.patch
ipsec-tools-0.6.5-ctx.patch ipsec-tools-0.6.5-leak.patch
ipsec-tools-0.6.5-loopback.patch ipsec-tools-0.6.5-mls.patch
ipsec-tools-fix.diff racoon-lspp-ipsec.patch
Log Message:
Rebase to 0.7 upstream
ipsec-tools-0.7-acquires.patch:
--- NEW FILE ipsec-tools-0.7-acquires.patch ---
--- ipsec-tools-0.7/src/racoon/handler.h.acquires 2007-08-28 22:18:35.000000000 -0500
+++ ipsec-tools-0.7/src/racoon/handler.h 2007-08-28 22:19:57.000000000 -0500
@@ -284,6 +284,8 @@
u_int8_t flags; /* Flags for phase 2 */
u_int32_t msgid; /* msgid for phase 2 */
+
+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
--- ipsec-tools-0.7/src/racoon/pfkey.c.acquires 2007-08-01 06:52:21.000000000 -0500
+++ ipsec-tools-0.7/src/racoon/pfkey.c 2007-08-28 22:08:22.000000000 -0500
@@ -1265,7 +1265,9 @@
SCHED_KILL(iph2->sce);
/* update status */
- iph2->status = PHASE2ST_ESTABLISHED;
+ /* Do this in pk_recvadd
+ * iph2->status = PHASE2ST_ESTABLISHED;
+ */
#ifdef ENABLE_STATS
gettimeofday(&iph2->end, NULL);
@@ -1311,6 +1313,7 @@
struct saproto *pr;
int proxy = 0;
struct pfkey_send_sa_args sa_args;
+ u_int32_t sa_sent = 0;
/* sanity check */
if (iph2->approval == NULL) {
@@ -1427,6 +1430,9 @@
return -1;
}
+ /* keep count of SAs added */
+ sa_sent++;
+
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
@@ -1447,6 +1453,7 @@
sadbsecas2str(sa_args.src, sa_args.dst,
sa_args.satype, sa_args.spi, sa_args.mode));
}
+ iph2->sa_count = sa_sent;
return 0;
}
@@ -1502,10 +1509,20 @@
}
/*
- * NOTE don't update any status of phase2 handle
- * because they must be updated by SADB_UPDATE message
+ * Thus, update the status of phase 2 handle after all SADB_ADD
+ * msgs have been received for the handle, rather than
+ * after SADB_UPDATE.
+ *
+ * This also removes the possibilty of processing an ACQUIRE
+ * received by kernel for SAs we are still adding.
*/
+ if (iph2->sa_count) {
+ iph2->sa_count = iph2->sa_count - 1;
+ if (iph2->sa_count == 0)
+ iph2->status = PHASE2ST_ESTABLISHED;
+ }
+
plog(LLV_INFO, LOCATION, NULL,
"IPsec-SA established: %s\n",
sadbsecas2str(iph2->src, iph2->dst,
@@ -1589,8 +1606,6 @@
/* turn off the timer for calling isakmp_ph2expire() */
SCHED_KILL(iph2->sce);
- iph2->status = PHASE2ST_EXPIRED;
-
/* INITIATOR, begin phase 2 exchange. */
/* allocate buffer for status management of pfkey message */
if (iph2->side == INITIATOR) {
@@ -1618,6 +1633,7 @@
/* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
/* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
* manage IPsec SA, so delete the list */
+ iph2->status = PHASE2ST_EXPIRED;
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
@@ -1739,8 +1755,17 @@
* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
* has to prcesss such a acquire message because racoon may
* lost the expire message.
+ *
+ * When in responder role, an spid doesn't get added to
+ * the handler since responder didn't receive acquire.
+ * Thus there is the case that a negotiation can be occurring
+ * and responder receives acquire for same policy. So to prevent
+ * another identical negotiation, also check by address.
*/
iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
+ if (iph2[0] == NULL)
+ iph2[0] = getph2bysaddr(src, dst);
+
if (iph2[0] != NULL) {
if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
plog(LLV_DEBUG, LOCATION, NULL,
ipsec-tools-0.7-libs.patch:
--- NEW FILE ipsec-tools-0.7-libs.patch ---
--- ipsec-tools-0.7/configure.spcorig 2007-08-28 17:20:57.000000000 -0500
+++ ipsec-tools-0.7/configure 2007-08-28 17:23:24.000000000 -0500
@@ -28669,6 +28669,7 @@
include_racoondir=${includedir}/racoon
+LIBS="-Wl,--as-needed $LIBS"
ac_config_files="$ac_config_files Makefile package_version.h src/Makefile src/include-glibc/Makefile src/libipsec/Makefile src/setkey/Makefile src/racoon/Makefile src/racoon/samples/psk.txt src/racoon/samples/racoon.conf rpm/Makefile rpm/suse/Makefile rpm/suse/ipsec-tools.spec"
ipsec-tools-0.7-loopback.patch:
--- NEW FILE ipsec-tools-0.7-loopback.patch ---
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/.cvsignore,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- .cvsignore 17 Jan 2007 13:09:04 -0000 1.11
+++ .cvsignore 29 Aug 2007 04:04:57 -0000 1.12
@@ -1 +1,2 @@
ipsec-tools-0.6.6.tar.bz2
+ipsec-tools-0.7.tar.bz2
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- ipsec-tools.spec 25 Apr 2007 16:31:24 -0000 1.42
+++ ipsec-tools.spec 29 Aug 2007 04:04:57 -0000 1.43
@@ -1,6 +1,6 @@
Name: ipsec-tools
-Version: 0.6.6
-Release: 7%{?dist}
+Version: 0.7
+Release: 1%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -12,17 +12,10 @@
Source4: psk.txt
Source5: xfrm.h
Source6: udp.h
-Patch: ipsec-tools-0.5-libs.patch
+Patch: ipsec-tools-0.7-libs.patch
Patch2: isakmp.c.diff
-Patch5: ipsec-tools-0.5-64bit.patch
-Patch7: ipsec-tools-0.6.5-mls.patch
-Patch9: racoon-lspp-ipsec.patch
-Patch10: ipsec-tools-0.6.5-ctx.patch
-Patch11: ipsec-tools-0.6.5-acquires.patch
-Patch12: ipsec-tools-0.6.5-loopback.patch
-#Patch13: ipsec-tools-0.6.5-context-increase.patch
-#Patch14: ipsec-tools-0.6.5-leak.patch
-Patch13: ipsec-tools-0.6.5-CVE-2007-1841.patch
+Patch3: ipsec-tools-0.7-acquires.patch
+Patch4: ipsec-tools-0.7-loopback.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2
@@ -42,13 +35,8 @@
%setup -q
%patch -p1
%patch2 -p1
-%patch5 -p1 -b .64bit
-%patch7 -p1 -b .mls
-%patch9 -p1 -b .sctx
-%patch10 -p1 -b .hctx
-%patch11 -p1 -b .acquires
-%patch12 -p1 -b .loopback
-%patch13 -p0 -b .CVE-2007-1841
+%patch3 -p1 -b .acquires
+%patch4 -p1 -b .loopback
mkdir -p kernel-headers/linux
cp %{SOURCE1} %{SOURCE2} %{SOURCE5} %{SOURCE6} kernel-headers/linux
@@ -109,6 +97,9 @@
%config(noreplace) /etc/racoon/racoon.conf
%changelog
+* Tue Aug 28 2007 Steve Conklin <sconklin at redhat.com> - 0.7-1
+- Rebase to upstream 0.7
+
* Mon Apr 23 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.5-8
- Upstream fix for Racoon DOS, informational delete must be encrypted
- Resolves: rhbz#235388 - CVE-2007-1841 ipsec-tools racoon DoS
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/sources,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- sources 17 Jan 2007 13:09:04 -0000 1.11
+++ sources 29 Aug 2007 04:04:57 -0000 1.12
@@ -1 +1 @@
-e908f3cf367e31c7902df5ab16fbe5c3 ipsec-tools-0.6.6.tar.bz2
+c0a586924edde35264ecfe94ad1c261f ipsec-tools-0.7.tar.bz2
--- ipsec-tools-0.2.4-racoon-dest.patch DELETED ---
--- ipsec-tools-0.2.5-verifycb.patch DELETED ---
--- ipsec-tools-0.3.3-stdin.patch DELETED ---
--- ipsec-tools-0.5-64bit.patch DELETED ---
--- ipsec-tools-0.5-libs.patch DELETED ---
--- ipsec-tools-0.6.1-openssl-098.patch DELETED ---
--- ipsec-tools-0.6.5-CVE-2007-1841.patch DELETED ---
--- ipsec-tools-0.6.5-acquires.patch DELETED ---
--- ipsec-tools-0.6.5-context-increase.patch DELETED ---
--- ipsec-tools-0.6.5-ctx.patch DELETED ---
--- ipsec-tools-0.6.5-leak.patch DELETED ---
--- ipsec-tools-0.6.5-loopback.patch DELETED ---
--- ipsec-tools-0.6.5-mls.patch DELETED ---
--- ipsec-tools-fix.diff DELETED ---
--- racoon-lspp-ipsec.patch DELETED ---
More information about the fedora-extras-commits
mailing list