New upstream version 5.6.2

6 files changed, 54 insertions, 1 deletions

diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt
index 77d5b7888..c821a880b 100644
--- a/conf/plugins/ha.opt
+++ b/conf/plugins/ha.opt
@@ -2,6 +2,13 @@ charon.plugins.ha.autobalance = 0
 	Interval in seconds to automatically balance handled segments between nodes.
 	Set to 0 to disable.
 
+charon.plugin.ha.buflen = 2048
+	Buffer size for received HA messages.
+
+	Buffer size for received HA messages. For IKEv1 the public DH factors are
+	also transmitted so depending on the DH group the HA messages can get quite
+	big (the default should be fine up to _modp4096_).
+
 charon.plugins.ha.fifo_interface = yes
 
 charon.plugins.ha.heartbeat_delay = 1000
diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 4f559f2b9..6c1da5e89 100644
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id =
 	Manually set the client device ID in hexadecimal format
    (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
 
+libimcv.plugins.imc-os.device_handle =
+	Manually set handle to a private key bound to a smartcard or TPM
+    (e.g. 0x81010004)
+
 libimcv.plugins.imc-os.device_pubkey =
 	Manually set the path to the client device public key
     (e.g. /etc/pts/aikPub.der)
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 22d94ee38..9827b2282 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -35,6 +35,9 @@ kernel-netlink {
     # Whether to use port or socket based IKE XFRM bypass policies.
     # port_bypass = no
 
+    # Whether to process changes in routing rules to trigger roam events.
+    # process_rules = no
+
     # Maximum Netlink socket receive buffer in bytes.
     # receive_buffer_size = 0
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 3d9c4a7a9..0e368ca1e 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -7,7 +7,7 @@ charon.plugins.kernel-netlink.force_receive_buffer_size = no
 	If the maximum Netlink socket receive buffer in bytes set by
 	_receive_buffer_size_ exceeds the system-wide maximum from
 	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
-	Enabling this option requires special priviliges (CAP_NET_ADMIN).
+	Enabling this option requires special privileges (CAP_NET_ADMIN).
 
 charon.plugins.kernel-netlink.fwmark =
 	Firewall mark to set on the routing rule that directs traffic to our routing
@@ -47,6 +47,13 @@ charon.plugins.kernel-netlink.port_bypass = no
 	port based policies use global XFRM bypass policies for the used IKE UDP
 	ports.
 
+charon.plugins.kernel-netlink.process_rules = no
+	Whether to process changes in routing rules to trigger roam events.
+
+	Whether to process changes in routing rules to trigger roam events. This is
+	currently only useful if the kernel based route lookup is used (i.e. if
+	route installation is disabled or an inverted fwmark match is configured).
+
 charon.plugins.kernel-netlink.receive_buffer_size = 0
 	Maximum Netlink socket receive buffer in bytes.
 
diff --git a/conf/plugins/save-keys.conf b/conf/plugins/save-keys.conf
new file mode 100644
index 000000000..c38cdcf69
--- /dev/null
+++ b/conf/plugins/save-keys.conf
@@ -0,0 +1,16 @@
+save-keys {
+
+    # Whether to save ESP keys.
+    # esp = no
+
+    # Whether to save IKE keys.
+    # ike = no
+
+    # Whether to load the plugin.
+    load = no
+
+    # Directory where the keys are stored in the format supported by Wireshark
+    # wireshark_keys =
+
+}
+
diff --git a/conf/plugins/save-keys.opt b/conf/plugins/save-keys.opt
new file mode 100644
index 000000000..22a766a6f
--- /dev/null
+++ b/conf/plugins/save-keys.opt
@@ -0,0 +1,16 @@
+charon.plugins.save-keys.load := no
+	Whether to load the plugin.
+
+charon.plugins.save-keys.esp = no
+	Whether to save ESP keys.
+
+charon.plugins.save-keys.ike = no
+	Whether to save IKE keys.
+
+charon.plugins.save-keys.wireshark_keys
+	Directory where the keys are stored in the format supported by Wireshark
+
+	Directory where the keys are stored in the format supported by Wireshark.
+	IKEv1 keys are stored in the _ikev1_decryption_table_ file.
+	IKEv2 keys are stored in the _ikev2_decryption_table_ file.
+	Keys for ESP CHILD_SAs are stored in the _esp_sa_ file.