Import upstream release 5.2.1

8 files changed, 67 insertions, 2 deletions

diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 64db67456..b98b195d1 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -7,11 +7,15 @@ eap-radius {
     # updates.
     # accounting_close_on_timeout = yes
 
+    # Interval for interim RADIUS accounting updates, if not specified by the
+    # RADIUS server in the Access-Accept message.
+    # accounting_interval = 0
+
     # If enabled, accounting is disabled unless an IKE_SA has at least one
     # virtual IP.
     # accounting_requires_vip = no
 
-    # Use class attributes in RADIUS-Accept messages as group membership
+    # Use class attributes in Access-Accept messages as group membership
     # information.
     # class_group = no
 
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 0df6a0d6f..2a6786dd9 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -5,12 +5,16 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes
 	Close the IKE_SA if there is a timeout during interim RADIUS accounting
 	updates.
 
+charon.plugins.eap-radius.accounting_interval = 0
+	Interval for interim RADIUS accounting updates, if not specified by the
+	RADIUS server in the Access-Accept message.
+
 charon.plugins.eap-radius.accounting_requires_vip = no
 	If enabled, accounting is disabled unless an IKE_SA has at least one
 	virtual IP.
 
 charon.plugins.eap-radius.class_group = no
-	Use class attributes in RADIUS-Accept messages as group membership
+	Use class attributes in Access-Accept messages as group membership
 	information.
 
 	Use the _class_ attribute sent in the RADIUS-Accept message as group
diff --git a/conf/plugins/ext-auth.conf b/conf/plugins/ext-auth.conf
new file mode 100644
index 000000000..f5aa45f6f
--- /dev/null
+++ b/conf/plugins/ext-auth.conf
@@ -0,0 +1,11 @@
+ext-auth {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Shell script to invoke for peer authorization.
+    # script =
+
+}
+
diff --git a/conf/plugins/ext-auth.opt b/conf/plugins/ext-auth.opt
new file mode 100644
index 000000000..bf127b9d7
--- /dev/null
+++ b/conf/plugins/ext-auth.opt
@@ -0,0 +1,15 @@
+charon.plugins.ext-auth.script =
+	Shell script to invoke for peer authorization.
+
+	Command to pass to the system shell for peer authorization. Authorization
+	is considered successful if the command executes normally with an exit code
+	of zero. For all other exit codes IKE_SA authorization is rejected.
+
+	The following environment variables get passed to the script:
+	_IKE_UNIQUE_ID_: The IKE_SA numerical unique identifier.
+	_IKE_NAME_: The peer configuration connection name.
+	_IKE_LOCAL_HOST_: Local IKE IP address.
+	_IKE_REMOTE_HOST_: Remote IKE IP address.
+	_IKE_LOCAL_ID_: Local IKE identity.
+	_IKE_REMOTE_ID_: Remote IKE identity.
+	_IKE_REMOTE_EAP_ID_: Remote EAP or XAuth identity, if used.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 670746963..f05f486b1 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -8,10 +8,20 @@ kernel-netlink {
     # priority of this plugin.
     load = yes
 
+    # MSS to set on installed routes, 0 to disable.
+    # mss = 0
+
+    # MTU to set on installed routes, 0 to disable.
+    # mtu = 0
+
     # Whether to trigger roam events when interfaces, addresses or routes
     # change.
     # roam_events = yes
 
+    # Whether to set protocol and ports in the selector installed on transport
+    # mode IPsec SAs in the kernel.
+    # set_proto_port_transport_sa = no
+
     # Lifetime of XFRM acquire state in kernel.
     # xfrm_acq_expires = 165
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index a8e421b6e..7d44581a5 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -7,9 +7,24 @@ charon.plugins.kernel-netlink.fwmark =
 	inverts the meaning (i.e. the rule only applies to packets that don't match
 	the mark).
 
+charon.plugins.kernel-netlink.mss = 0
+	MSS to set on installed routes, 0 to disable.
+
+charon.plugins.kernel-netlink.mtu = 0
+	MTU to set on installed routes, 0 to disable.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel.
+
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+	traffic, it also prevents the use of a single IPsec SA by more than one
+	traffic selector.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.
 
diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf
index 6dd063053..3d8ee0acc 100644
--- a/conf/plugins/stroke.conf
+++ b/conf/plugins/stroke.conf
@@ -14,6 +14,9 @@ stroke {
     # If enabled log level changes via stroke socket are not allowed.
     # prevent_loglevel_changes = no
 
+    # Location of the ipsec.secrets file
+    # secrets_file = ${sysconfdir}/ipsec.secrets
+
     # Socket provided by the stroke plugin.
     # socket = unix://${piddir}/charon.ctl
 
diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
index 2cfc2c6fa..4b49b1f04 100644
--- a/conf/plugins/stroke.opt
+++ b/conf/plugins/stroke.opt
@@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4
 charon.plugins.stroke.prevent_loglevel_changes = no
 	If enabled log level changes via stroke socket are not allowed.
 
+charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
+	Location of the ipsec.secrets file
+
 charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
 	Socket provided by the stroke plugin.