Imported Upstream version 5.2.0

10 files changed, 74 insertions, 10 deletions

diff --git a/conf/options/aikgen.conf b/conf/options/aikgen.conf
new file mode 100644
index 000000000..10d362f1d
--- /dev/null
+++ b/conf/options/aikgen.conf
@@ -0,0 +1,7 @@
+aikgen {
+
+    # Plugins to load in ipsec aikgen tool.
+    # load =
+
+}
+
diff --git a/conf/options/aikgen.opt b/conf/options/aikgen.opt
new file mode 100644
index 000000000..2d33947fd
--- /dev/null
+++ b/conf/options/aikgen.opt
@@ -0,0 +1,2 @@
+aikgen.load =
+	Plugins to load in ipsec aikgen tool.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 5cab2b1c4..ec3a39a40 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -1,6 +1,9 @@
 # Options for the charon IKE daemon.
 charon {
 
+    # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+    # accept_unencrypted_mainmode_messages = no
+
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
@@ -131,6 +134,11 @@ charon {
     # will be allocated.
     # port_nat_t = 4500
 
+    # By default public IPv6 addresses are preferred over temporary ones (RFC
+    # 4941), to make connections more stable. Enable this option to reverse
+    # this.
+    # prefer_temporary_addrs = no
+
     # Process RTM_NEWROUTE and RTM_DELROUTE events.
     # process_route = yes
 
@@ -254,6 +262,18 @@ charon {
 
     }
 
+    # Section containing a list of scripts (name = path) that are executed when
+    # the daemon is started.
+    start-scripts {
+
+    }
+
+    # Section containing a list of scripts (name = path) that are executed when
+    # the daemon is terminated.
+    stop-scripts {
+
+    }
+
     tls {
 
         # List of TLS encryption ciphers.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index c6f4f1e9e..1eb1b8877 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -8,6 +8,21 @@ charon {}
 	**charon-cmd** instead of **charon**). For many options defaults can be
 	defined in the **libstrongswan** section.
 
+charon.accept_unencrypted_mainmode_messages = no
+	Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+	Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+	Some implementations send the third Main Mode message unencrypted, probably
+	to find the PSKs for the specified ID for authentication. This is very
+	similar to Aggressive Mode, and has the same security implications: A
+	passive attacker can sniff the negotiated Identity, and start brute forcing
+	the PSK using the HASH payload.
+
+	It is recommended to keep this option to no, unless you know exactly
+	what the implications are and require compatibility to such devices (for
+	example, some SonicWall boxes).
+
 charon.block_threshold = 5
 	Maximum number of half-open IKE_SAs for a single peer IP.
 
@@ -196,6 +211,10 @@ charon.port_nat_t = 4500
 	allocated.  Has to be different from **charon.port**, otherwise a random
 	port will be allocated.
 
+charon.prefer_temporary_addrs = no
+	By default public IPv6 addresses are preferred over temporary ones (RFC
+	4941), to make connections more stable. Enable this option to reverse this.
+
 charon.process_route = yes
 	Process RTM_NEWROUTE and RTM_DELROUTE events.
 
@@ -256,6 +275,14 @@ charon.send_delay_type = 0
 charon.send_vendor_id = no
 	Send strongSwan vendor ID payload
 
+charon.start-scripts {}
+	Section containing a list of scripts (name = path) that are executed when
+	the daemon is started.
+
+charon.stop-scripts {}
+	Section containing a list of scripts (name = path) that are executed when
+	the daemon is terminated.
+
 charon.threads = 16
 	Number of worker threads in charon.
 
diff --git a/conf/options/pki.conf b/conf/options/pki.conf
new file mode 100644
index 000000000..f64a091a5
--- /dev/null
+++ b/conf/options/pki.conf
@@ -0,0 +1,7 @@
+pki {
+
+    # Plugins to load in ipsec pki tool.
+    # load =
+
+}
+
diff --git a/conf/options/pki.opt b/conf/options/pki.opt
new file mode 100644
index 000000000..c57dcc8c5
--- /dev/null
+++ b/conf/options/pki.opt
@@ -0,0 +1,2 @@
+pki.load =
+	Plugins to load in ipsec pki tool.
diff --git a/conf/options/tools.conf b/conf/options/scepclient.conf
index 781635ceb..0b1a13187 100644
--- a/conf/options/tools.conf
+++ b/conf/options/scepclient.conf
@@ -1,10 +1,3 @@
-pki {
-
-    # Plugins to load in ipsec pki tool.
-    # load =
-
-}
-
 scepclient {
 
     # Plugins to load in ipsec scepclient tool.
diff --git a/conf/options/tools.opt b/conf/options/scepclient.opt
index 72a49de28..7e30f5cd3 100644
--- a/conf/options/tools.opt
+++ b/conf/options/scepclient.opt
@@ -1,5 +1,2 @@
-pki.load =
-	Plugins to load in ipsec pki tool.
-
 scepclient.load =
 	Plugins to load in ipsec scepclient tool.
diff --git a/conf/options/swanctl.conf b/conf/options/swanctl.conf
new file mode 100644
index 000000000..cb182396b
--- /dev/null
+++ b/conf/options/swanctl.conf
@@ -0,0 +1,7 @@
+swanctl {
+
+    # Plugins to load in swanctl.
+    # load =
+
+}
+
diff --git a/conf/options/swanctl.opt b/conf/options/swanctl.opt
new file mode 100644
index 000000000..f78b4bccc
--- /dev/null
+++ b/conf/options/swanctl.opt
@@ -0,0 +1,2 @@
+swanctl.load =
+	Plugins to load in swanctl.
\ No newline at end of file