New upstream version 5.5.3

10 files changed, 91 insertions, 6 deletions

diff --git a/conf/Makefile.in b/conf/Makefile.in
index 70e1b01ec..9a85514ed 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -310,6 +310,7 @@ docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 host = @host@
@@ -332,6 +333,7 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
 libiptc_CFLAGS = @libiptc_CFLAGS@
 libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 1b5d52d02..7ccb74939 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -29,6 +29,10 @@ charon {
     # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
     # delete_rekeyed = no
 
+    # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
+    # (IKEv2 only).
+    # delete_rekeyed_delay = 5
+
     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
     # strength.
     # dh_exponent_ansi_x9_42 = yes
@@ -199,6 +203,14 @@ charon {
     # in strongswan.conf(5).
     # retransmit_base = 1.8
 
+    # Maximum jitter in percent to apply randomly to calculated retransmission
+    # timeout (0 to disable).
+    # retransmit_jitter = 0
+
+    # Upper limit in seconds for calculated retransmission timeout (0 to
+    # disable).
+    # retransmit_limit = 0
+
     # Timeout in seconds before sending first retransmit.
     # retransmit_timeout = 4.0
 
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 4c4311e81..3593c6a5f 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -75,6 +75,16 @@ charon.delete_rekeyed = no
 	However, this might cause problems with implementations that continue to
 	use rekeyed SAs until they expire.
 
+charon.delete_rekeyed_delay = 5
+	Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+	only).
+
+	Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+	only). To process delayed packets the inbound part of a CHILD_SA is kept
+	installed up to the configured number of seconds after it got replaced
+	during a rekeying. If set to 0 the CHILD_SA will be kept installed until it
+	expires (if no lifetime is set it will be destroyed immediately).
+
 charon.dh_exponent_ansi_x9_42 = yes
 	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 	strength.
@@ -311,6 +321,13 @@ charon.retransmit_timeout = 4.0
 charon.retransmit_tries = 5
 	Number of times to retransmit a packet before giving up.
 
+charon.retransmit_jitter = 0
+	Maximum jitter in percent to apply randomly to calculated retransmission
+	timeout (0 to disable).
+
+charon.retransmit_limit = 0
+	Upper limit in seconds for calculated retransmission timeout (0 to disable).
+
 charon.retry_initiate_interval = 0
 	Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
 	resolution failed), 0 to disable retries.
diff --git a/conf/plugins/attr-sql.conf b/conf/plugins/attr-sql.conf
index 24d4e809d..f56f54aee 100644
--- a/conf/plugins/attr-sql.conf
+++ b/conf/plugins/attr-sql.conf
@@ -1,5 +1,9 @@
 attr-sql {
 
+    # Release all online leases during startup.  Disable this to share the DB
+    # between multiple VPN gateways.
+    # crash_recovery = yes
+
     # Database URI for attr-sql plugin used by charon. If it contains a
     # password, make sure to adjust the permissions of the config file
     # accordingly.
diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt
index abd749e3e..58f05bb5f 100644
--- a/conf/plugins/attr-sql.opt
+++ b/conf/plugins/attr-sql.opt
@@ -1,3 +1,7 @@
+charon.plugins.attr-sql.crash_recovery = yes
+	Release all online leases during startup.  Disable this to share the DB
+	between multiple VPN gateways.
+
 charon.plugins.attr-sql.database
 	Database URI for attr-sql plugin used by charon. If it contains a password,
 	make sure to adjust the permissions of the config file accordingly.
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 1136af1be..3d9c4a7a9 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -113,6 +113,6 @@ charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
 	Indirectly controls the delay between XFRM acquire messages triggered by the
 	kernel for a trap policy. The same value is used as timeout for SPIs
-	allocated by the kernel. The default value equals the default total
-	retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION
-	in **strongswan.conf**(5).
+	allocated by the kernel. The default value equals the total	retransmission
+	timeout for IKE messages, see IKEv2 RETRANSMISSION in
+	**strongswan.conf**(5).
diff --git a/conf/plugins/socket-default.conf b/conf/plugins/socket-default.conf
index 6d4b73dd5..abf4650ed 100644
--- a/conf/plugins/socket-default.conf
+++ b/conf/plugins/socket-default.conf
@@ -10,6 +10,9 @@ socket-default {
     # Set source address on outbound packets, if possible.
     # set_source = yes
 
+    # Force sending interface on outbound packets, if possible.
+    # set_sourceif = no
+
     # Listen on IPv4, if possible.
     # use_ipv4 = yes
 
diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt
index 483a0f03d..570bd0ec7 100644
--- a/conf/plugins/socket-default.opt
+++ b/conf/plugins/socket-default.opt
@@ -4,6 +4,12 @@ charon.plugins.socket-default.fwmark =
 charon.plugins.socket-default.set_source = yes
 	Set source address on outbound packets, if possible.
 
+charon.plugins.socket-default.set_sourceif = no
+	Force sending interface on outbound packets, if possible.
+
+	Force sending interface on outbound packets, if possible. This allows
+	using IPv6 link-local addresses as tunnel endpoints.
+
 charon.plugins.socket-default.use_ipv4 = yes
 	Listen on IPv4, if possible.
 
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 72ab3a77a..4df7ce42d 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -114,6 +114,14 @@ this might cause problems with implementations that continue to use rekeyed SAs
 until they expire.
 
 .TP
+.BR charon.delete_rekeyed_delay " [5]"
+Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+only). To process delayed packets the inbound part of a CHILD_SA is kept
+installed up to the configured number of seconds after it got replaced during a
+rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if
+no lifetime is set it will be destroyed immediately).
+
+.TP
 .BR charon.dh_exponent_ansi_x9_42 " [yes]"
 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 strength.
@@ -432,6 +440,11 @@ or an arbitrary value depending on the attribute type.  For some attribute types
 multiple values may be specified as a comma separated list.
 
 .TP
+.BR charon.plugins.attr-sql.crash_recovery " [yes]"
+Release all online leases during startup.  Disable this to share the DB between
+multiple VPN gateways.
+
+.TP
 .BR charon.plugins.attr-sql.database " []"
 Database URI for attr\-sql plugin used by charon. If it contains a password, make
 sure to adjust the permissions of the config file accordingly.
@@ -1049,8 +1062,8 @@ Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
 policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
 Indirectly controls the delay between XFRM acquire messages triggered by the
 kernel for a trap policy. The same value is used as timeout for SPIs allocated
-by the kernel. The default value equals the default total retransmission timeout
-for IKE messages, see IKEv2 RETRANSMISSION in
+by the kernel. The default value equals the total   retransmission timeout for
+IKE messages, see IKEv2 RETRANSMISSION in
 .RB "" "strongswan.conf" "(5)."
 
 
@@ -1394,6 +1407,11 @@ Firewall mark to set on outbound packets.
 Set source address on outbound packets, if possible.
 
 .TP
+.BR charon.plugins.socket-default.set_sourceif " [no]"
+Force sending interface on outbound packets, if possible. This allows using IPv6
+link\-local addresses as tunnel endpoints.
+
+.TP
 .BR charon.plugins.socket-default.use_ipv4 " [yes]"
 Listen on IPv4, if possible.
 
@@ -1698,6 +1716,15 @@ Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
 
 
 .TP
+.BR charon.retransmit_jitter " [0]"
+Maximum jitter in percent to apply randomly to calculated retransmission timeout
+(0 to disable).
+
+.TP
+.BR charon.retransmit_limit " [0]"
+Upper limit in seconds for calculated retransmission timeout (0 to disable).
+
+.TP
 .BR charon.retransmit_timeout " [4.0]"
 Timeout in seconds before sending first retransmit.
 
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
index 72aa7f856..f428fc323 100644
--- a/conf/strongswan.conf.5.tail.in
+++ b/conf/strongswan.conf.5.tail.in
@@ -408,6 +408,8 @@ using the three keys listed below:
 .BR charon.retransmit_base " [1.8]"
 .BR charon.retransmit_timeout " [4.0]"
 .BR charon.retransmit_tries " [5]"
+.BR charon.retransmit_jitter " [0]"
+.BR charon.retransmit_limit " [0]"
 .fi
 .RE
 .PP
@@ -419,7 +421,15 @@ The following algorithm is used to calculate the timeout:
 .PP
 Where
 .I n
-is the current retransmission count.
+is the current retransmission count. The calculated timeout can't exceed the
+configured retransmit_limit (if any), which is useful if the number of retries
+is high.
+.PP
+If a jitter in percent is configured, the timeout is modified as follows:
+.PP
+.EX
+	relative timeout -= random(0, retransmit_jitter * relative timeout)
+.EE
 .PP
 Using the default values, packets are retransmitted in: