main/ipsec-tools: add a patch to improve delete notify handling

if phase1 rekeying is enabled, remote side deleting the last
phase1 will result in deletion of all the ipsec-sa's and will
execute the phase1_dead script hook too (so every one knows
the traffic between the two nodes has ceased).
(cherry picked from commit 8fe94be6c0d43e8df28679604f3d0fef550829a4)

2 files changed, 61 insertions, 2 deletions

diff --git a/main/ipsec-tools/95-purge-on-delete-notify.patch b/main/ipsec-tools/95-purge-on-delete-notify.patch
new file mode 100644
index 0000000000..aa92135bc4
--- /dev/null
+++ b/main/ipsec-tools/95-purge-on-delete-notify.patch
@@ -0,0 +1,57 @@
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.63
+diff -u -p -r1.63 isakmp.c
+--- a/src/racoon/isakmp.c       21 Oct 2010 06:15:28 -0000      1.63
++++ b/src/racoon/isakmp.c       4 Nov 2010 14:52:39 -0000
+@@ -766,6 +766,20 @@ isakmp_main(msg, remote, local)
+        return 0;
+ }
+ 
++static int
++ph1_rekey_enabled(iph1)
++       struct ph1handle *iph1;
++{
++       if (iph1->rmconf->rekey == REKEY_FORCE)
++               return 1;
++#ifdef ENABLE_DPD
++       if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
++           iph1->rmconf->dpd_interval)
++               return 1;
++#endif
++       return 0;
++}
++
+ /*
+  * main function of phase 1.
+  */
+@@ -866,13 +880,7 @@ ph1_main(iph1, msg)
+                migrate_dying_ph12(iph1);
+ 
+                /* add to the schedule to expire, and seve back pointer. */
+-               if ((iph1->rmconf->rekey == REKEY_FORCE)
+-#ifdef ENABLE_DPD
+-                       ||
+-                   (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
+-                    iph1->rmconf->dpd_interval)
+-#endif
+-                       ) {
++               if (ph1_rekey_enabled(iph1)) {
+                        sched_schedule(&iph1->sce,
+                                       iph1->approval->lifetime *
+                                       PFKEY_SOFT_LIFETIME_RATE / 100,
+@@ -2071,7 +2079,13 @@ isakmp_ph1delete(iph1)
+        plog(LLV_INFO, LOCATION, NULL,
+                "ISAKMP-SA deleted %s-%s spi:%s\n",
+                src, dst, isakmp_pindex(&iph1->index, 0));
++
+        evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
++
++       if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) {
++               purge_remote(iph1);
++               script_hook(iph1, SCRIPT_PHASE1_DEAD);
++       }
+        racoon_free(src);
+        racoon_free(dst);
+ 
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index 8315f484bd..286144b661 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=ipsec-tools
 pkgver=0.8_alpha20101022
 _myver=0.8-alpha20101022
-pkgrel=1
+pkgrel=2
 pkgdesc="User-space IPsec tools for various IPsec implementations"
 url="http://ipsec-tools.sourceforge.net/"
 license="BSD"
@@ -17,6 +17,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
         75-racoonctl-rcvbuf.patch
         80-admin-big-reply-fix.patch
         90-dpd-window-fix.patch
+        95-purge-on-delete-notify.patch
         "
 
 _builddir="$srcdir"/$pkgname-$_myver
@@ -63,4 +64,5 @@ md5sums="1492b83edc944b5d32d2eff51e33399e  ipsec-tools-0.8-alpha20101022.tar.gz
 94773c94233e14cdce0fa02ff780a43e  70-defer-isakmp-ident-handling.patch
 2d5d24c4a3684a38584f88720f71c7d6  75-racoonctl-rcvbuf.patch
 c3898b162d284bc163f99cc52925b52a  80-admin-big-reply-fix.patch
-0391a6967ad19673588302bc8b17e0e2  90-dpd-window-fix.patch"
+0391a6967ad19673588302bc8b17e0e2  90-dpd-window-fix.patch
+8bc73a15407564321c8f571b5656b28d  95-purge-on-delete-notify.patch"