Import upstream release 5.2.1

17 files changed, 202 insertions, 17 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 373be1631..e5077391a 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -12,6 +12,7 @@ options = \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/manager.opt \
 	options/medsrv.opt \
@@ -44,6 +45,7 @@ plugins = \
 	plugins/eap-tnc.opt \
 	plugins/eap-ttls.opt \
 	plugins/error-notify.opt \
+	plugins/ext-auth.opt \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
@@ -152,9 +154,9 @@ maintainer-clean-local:
 		rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp
 
 install-data-local: $(plugins_install_src)
-	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
-	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
-	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
+	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true
+	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true
+	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true
 	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index a0ad980ca..d5bb3ffa7 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -186,6 +186,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -246,6 +247,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -311,6 +313,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -358,6 +362,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -381,6 +389,7 @@ options = \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/manager.opt \
 	options/medsrv.opt \
@@ -413,6 +422,7 @@ plugins = \
 	plugins/eap-tnc.opt \
 	plugins/eap-ttls.opt \
 	plugins/error-notify.opt \
+	plugins/ext-auth.opt \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
@@ -839,9 +849,9 @@ maintainer-clean-local:
 		rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp
 
 install-data-local: $(plugins_install_src)
-	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
-	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
-	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
+	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true
+	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true
+	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true
 	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
diff --git a/conf/options/charon-systemd.conf b/conf/options/charon-systemd.conf
new file mode 100644
index 000000000..630488ad8
--- /dev/null
+++ b/conf/options/charon-systemd.conf
@@ -0,0 +1,16 @@
+charon-systemd {
+
+    # Section to configure native systemd journal logger, very similar to the
+    # syslog logger as described in LOGGER CONFIGURATION in strongswan.conf(5).
+    journal {
+
+        # Loglevel for a specific subsystem.
+        # <subsystem> = <default>
+
+        # Default loglevel.
+        # default = 1
+
+    }
+
+}
+
diff --git a/conf/options/charon-systemd.opt b/conf/options/charon-systemd.opt
new file mode 100644
index 000000000..3482f449f
--- /dev/null
+++ b/conf/options/charon-systemd.opt
@@ -0,0 +1,13 @@
+charon-systemd.journal {}
+	Section to configure native systemd journal logger, very similar to the
+	syslog logger as described in LOGGER CONFIGURATION in
+	**strongswan.conf**(5).
+
+charon-systemd.journal.default = 1
+	Default loglevel.
+
+	Specifies the default loglevel to be used for subsystems for which no
+	specific loglevel is defined.
+
+charon-systemd.journal.<subsystem> = <default>
+	Loglevel for a specific subsystem.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index ec3a39a40..0bec9bb0a 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -40,9 +40,11 @@ charon {
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
-    # Maximum size (in bytes) of a sent fragment when using the proprietary
-    # IKEv1 fragmentation extension.
-    # fragment_size = 512
+    # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
+    # address family specific        default values). If specified this limit is
+    # used for both IPv4 and IPv6.
+    # fragment_size = 0
 
     # Name of the group the daemon changes to after startup.
     # group =
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 1eb1b8877..678aa37bc 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -85,9 +85,11 @@ charon.flush_auth_cfg = no
 	this might conflict with plugins that later need access to e.g. the used
 	certificates.
 
-charon.fragment_size = 512
-	Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
-	fragmentation extension.
+charon.fragment_size = 0
+	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
+	address family specific	default values). If specified this limit is used
+	for both IPv4 and IPv6.
 
 charon.group
 	Name of the group the daemon changes to after startup.
diff --git a/conf/options/starter.conf b/conf/options/starter.conf
index 8465f7e53..447397b0d 100644
--- a/conf/options/starter.conf
+++ b/conf/options/starter.conf
@@ -1,5 +1,8 @@
 starter {
 
+    # Location of the ipsec.conf file
+    # config_file = ${sysconfdir}/ipsec.conf
+
     # Plugins to load in starter.
     # load =
 
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
index 4e6574d58..54689e976 100644
--- a/conf/options/starter.opt
+++ b/conf/options/starter.opt
@@ -1,3 +1,6 @@
+starter.config_file = ${sysconfdir}/ipsec.conf
+	Location of the ipsec.conf file
+
 starter.load =
 	Plugins to load in starter.
 
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 64db67456..b98b195d1 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -7,11 +7,15 @@ eap-radius {
     # updates.
     # accounting_close_on_timeout = yes
 
+    # Interval for interim RADIUS accounting updates, if not specified by the
+    # RADIUS server in the Access-Accept message.
+    # accounting_interval = 0
+
     # If enabled, accounting is disabled unless an IKE_SA has at least one
     # virtual IP.
     # accounting_requires_vip = no
 
-    # Use class attributes in RADIUS-Accept messages as group membership
+    # Use class attributes in Access-Accept messages as group membership
     # information.
     # class_group = no
 
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 0df6a0d6f..2a6786dd9 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -5,12 +5,16 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes
 	Close the IKE_SA if there is a timeout during interim RADIUS accounting
 	updates.
 
+charon.plugins.eap-radius.accounting_interval = 0
+	Interval for interim RADIUS accounting updates, if not specified by the
+	RADIUS server in the Access-Accept message.
+
 charon.plugins.eap-radius.accounting_requires_vip = no
 	If enabled, accounting is disabled unless an IKE_SA has at least one
 	virtual IP.
 
 charon.plugins.eap-radius.class_group = no
-	Use class attributes in RADIUS-Accept messages as group membership
+	Use class attributes in Access-Accept messages as group membership
 	information.
 
 	Use the _class_ attribute sent in the RADIUS-Accept message as group
diff --git a/conf/plugins/ext-auth.conf b/conf/plugins/ext-auth.conf
new file mode 100644
index 000000000..f5aa45f6f
--- /dev/null
+++ b/conf/plugins/ext-auth.conf
@@ -0,0 +1,11 @@
+ext-auth {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Shell script to invoke for peer authorization.
+    # script =
+
+}
+
diff --git a/conf/plugins/ext-auth.opt b/conf/plugins/ext-auth.opt
new file mode 100644
index 000000000..bf127b9d7
--- /dev/null
+++ b/conf/plugins/ext-auth.opt
@@ -0,0 +1,15 @@
+charon.plugins.ext-auth.script =
+	Shell script to invoke for peer authorization.
+
+	Command to pass to the system shell for peer authorization. Authorization
+	is considered successful if the command executes normally with an exit code
+	of zero. For all other exit codes IKE_SA authorization is rejected.
+
+	The following environment variables get passed to the script:
+	_IKE_UNIQUE_ID_: The IKE_SA numerical unique identifier.
+	_IKE_NAME_: The peer configuration connection name.
+	_IKE_LOCAL_HOST_: Local IKE IP address.
+	_IKE_REMOTE_HOST_: Remote IKE IP address.
+	_IKE_LOCAL_ID_: Local IKE identity.
+	_IKE_REMOTE_ID_: Remote IKE identity.
+	_IKE_REMOTE_EAP_ID_: Remote EAP or XAuth identity, if used.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 670746963..f05f486b1 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -8,10 +8,20 @@ kernel-netlink {
     # priority of this plugin.
     load = yes
 
+    # MSS to set on installed routes, 0 to disable.
+    # mss = 0
+
+    # MTU to set on installed routes, 0 to disable.
+    # mtu = 0
+
     # Whether to trigger roam events when interfaces, addresses or routes
     # change.
     # roam_events = yes
 
+    # Whether to set protocol and ports in the selector installed on transport
+    # mode IPsec SAs in the kernel.
+    # set_proto_port_transport_sa = no
+
     # Lifetime of XFRM acquire state in kernel.
     # xfrm_acq_expires = 165
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index a8e421b6e..7d44581a5 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -7,9 +7,24 @@ charon.plugins.kernel-netlink.fwmark =
 	inverts the meaning (i.e. the rule only applies to packets that don't match
 	the mark).
 
+charon.plugins.kernel-netlink.mss = 0
+	MSS to set on installed routes, 0 to disable.
+
+charon.plugins.kernel-netlink.mtu = 0
+	MTU to set on installed routes, 0 to disable.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel.
+
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+	traffic, it also prevents the use of a single IPsec SA by more than one
+	traffic selector.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.
 
diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf
index 6dd063053..3d8ee0acc 100644
--- a/conf/plugins/stroke.conf
+++ b/conf/plugins/stroke.conf
@@ -14,6 +14,9 @@ stroke {
     # If enabled log level changes via stroke socket are not allowed.
     # prevent_loglevel_changes = no
 
+    # Location of the ipsec.secrets file
+    # secrets_file = ${sysconfdir}/ipsec.secrets
+
     # Socket provided by the stroke plugin.
     # socket = unix://${piddir}/charon.ctl
 
diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
index 2cfc2c6fa..4b49b1f04 100644
--- a/conf/plugins/stroke.opt
+++ b/conf/plugins/stroke.opt
@@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4
 charon.plugins.stroke.prevent_loglevel_changes = no
 	If enabled log level changes via stroke socket are not allowed.
 
+charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
+	Location of the ipsec.secrets file
+
 charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
 	Socket provided by the stroke plugin.
 
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index d93c208ae..28f6b12ec 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -165,9 +165,11 @@ are released to free memory once an IKE_SA is established. Enabling this might
 conflict with plugins that later need access to e.g. the used certificates.
 
 .TP
-.BR charon.fragment_size " [512]"
-Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
-fragmentation extension.
+.BR charon.fragment_size " [0]"
+Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
+using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address
+family specific        default values). If specified this limit is used for both
+IPv4 and IPv6.
 
 .TP
 .BR charon.group " []"
@@ -511,6 +513,11 @@ Send RADIUS accounting information to RADIUS servers.
 Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
 
 .TP
+.BR charon.plugins.eap-radius.accounting_interval " [0]"
+Interval for interim RADIUS accounting updates, if not specified by the RADIUS
+server in the Access\-Accept message.
+
+.TP
 .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
 If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
 
@@ -732,6 +739,29 @@ Request peer authentication based on a client certificate.
 Socket provided by the error\-notify plugin.
 
 .TP
+.BR charon.plugins.ext-auth.script " []"
+Command to pass to the system shell for peer authorization. Authorization is
+considered successful if the command executes normally with an exit code of
+zero. For all other exit codes IKE_SA authorization is rejected.
+
+The following environment variables get passed to the script:
+.RI "" "IKE_UNIQUE_ID" ":"
+The IKE_SA numerical unique identifier.
+.RI "" "IKE_NAME" ":"
+The peer configuration
+connection name.
+.RI "" "IKE_LOCAL_HOST" ":"
+Local IKE IP address.
+.RI "" "IKE_REMOTE_HOST" ":"
+Remote IKE IP address.
+.RI "" "IKE_LOCAL_ID" ":"
+Local IKE identity.
+.RI "" "IKE_REMOTE_ID" ":"
+Remote IKE identity.
+.RI "" "IKE_REMOTE_EAP_ID" ":"
+Remote EAP or XAuth identity, if used.
+
+.TP
 .BR charon.plugins.gcrypt.quick_random " [no]"
 Use faster random numbers in gcrypt; for testing only, produces weak keys!
 
@@ -782,10 +812,24 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts
 the meaning (i.e. the rule only applies to packets that don't match the mark).
 
 .TP
+.BR charon.plugins.kernel-netlink.mss " [0]"
+MSS to set on installed routes, 0 to disable.
+
+.TP
+.BR charon.plugins.kernel-netlink.mtu " [0]"
+MTU to set on installed routes, 0 to disable.
+
+.TP
 .BR charon.plugins.kernel-netlink.roam_events " [yes]"
 Whether to trigger roam events when interfaces, addresses or routes change.
 
 .TP
+.BR charon.plugins.kernel-netlink.set_proto_port_transport_sa " [no]"
+Whether to set protocol and ports in the selector installed on transport mode
+IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
+it also prevents the use of a single IPsec SA by more than one traffic selector.
+
+.TP
 .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
 Lifetime of XFRM acquire state in kernel. The value gets written to
 /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
@@ -1123,6 +1167,10 @@ Maximum number of stroke messages handled concurrently.
 If enabled log level changes via stroke socket are not allowed.
 
 .TP
+.BR charon.plugins.stroke.secrets_file " [${sysconfdir}/ipsec.secrets]"
+Location of the ipsec.secrets file
+
+.TP
 .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
 Socket provided by the stroke plugin.
 
@@ -1483,6 +1531,23 @@ Name of the user the daemon changes to after startup.
 Discard certificates with unsupported or unknown critical extensions.
 
 .TP
+.B charon-systemd.journal
+.br
+Section to configure native systemd journal logger, very similar to the syslog
+logger as described in LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon-systemd.journal.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon-systemd.journal.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand\-alone
 .RI "" "libimcv" ""
@@ -1741,6 +1806,10 @@ Plugins to load in ipsec pool tool.
 Plugins to load in ipsec scepclient tool.
 
 .TP
+.BR starter.config_file " [${sysconfdir}/ipsec.conf]"
+Location of the ipsec.conf file
+
+.TP
 .BR starter.load " []"
 Plugins to load in starter.