Imported Upstream version 5.4.0

8 files changed, 102 insertions, 18 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 72d9f258d..b7edaa8ee 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -73,6 +73,7 @@ plugins = \
 	plugins/ntru.opt \
 	plugins/openssl.opt \
 	plugins/osx-attr.opt \
+	plugins/p-cscf.opt \
 	plugins/pkcs11.opt \
 	plugins/radattr.opt \
 	plugins/random.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e6781b150..8bfc298a9 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -367,6 +367,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -455,6 +457,7 @@ plugins = \
 	plugins/ntru.opt \
 	plugins/openssl.opt \
 	plugins/osx-attr.opt \
+	plugins/p-cscf.opt \
 	plugins/pkcs11.opt \
 	plugins/radattr.opt \
 	plugins/random.opt \
diff --git a/conf/format-options.py b/conf/format-options.py
index d046e24ca..307394399 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 #
-# Copyright (C) 2014 Tobias Brunner
+# Copyright (C) 2014-2015 Tobias Brunner
 # Hochschule fuer Technik Rapperswil
 #
 # This program is free software; you can redistribute it and/or modify it
@@ -48,6 +48,14 @@ full.section.name {[#]}
 
 If a # is added between the curly braces the section header will be commented
 out in the configuration file snippet, which is useful for example sections.
+
+Dots in section/option names may be escaped with a backslash.  For instance,
+with the following section description
+
+charon.filelog./var/log/daemon\.log {}
+	Section to define logging into /var/log/daemon.log
+
+/var/log/daemon.log will be the name of the last section.
 """
 
 import sys
@@ -58,9 +66,10 @@ from operator import attrgetter
 
 class ConfigOption:
 	"""Representing a configuration option or described section in strongswan.conf"""
-	def __init__(self, name, default = None, section = False, commented = False):
-		self.name = name.split('.')[-1]
-		self.fullname = name
+	def __init__(self, path, default = None, section = False, commented = False):
+		self.path = path
+		self.name = path[-1]
+		self.fullname = '.'.join(path)
 		self.default = default
 		self.section = section
 		self.commented = commented
@@ -68,7 +77,7 @@ class ConfigOption:
 		self.options = []
 
 	def __lt__(self, other):
-		return  self.name < other.name
+		return self.name < other.name
 
 	def add_paragraph(self):
 		"""Adds a new paragraph to the description"""
@@ -113,7 +122,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), m.group('default'),
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, m.group('default'),
 										  commented = not m.group('assign'))
 			return
 		# section definition
@@ -121,7 +131,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), section = True,
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, section = True,
 										  commented = m.group('comment'))
 			return
 		# paragraph separator
@@ -133,11 +144,14 @@ class Parser:
 		if m and self.__current:
 			self.__current.add(m.group('text'))
 
+	def __split_name(self, name):
+		"""Split the given full name in a list of section/option names"""
+		return [x.replace('\.', '.') for x in re.split(r'(?<!\\)\.', name)]
+
 	def __add_option(self, option):
 		"""Adds the given option to the abstract storage"""
 		option.desc = [desc for desc in option.desc if len(desc)]
-		parts = option.fullname.split('.')
-		parent = self.__get_option(parts[:-1], True)
+		parent = self.__get_option(option.path[:-1], True)
 		if not parent:
 			parent = self
 		found = next((x for x in parent.options if x.name == option.name
@@ -149,18 +163,16 @@ class Parser:
 			if self.sort:
 				parent.options.sort()
 
-	def __get_option(self, parts, create = False):
+	def __get_option(self, path, create = False):
 		"""Searches/Creates the option (section) based on a list of section names"""
 		option = None
 		options = self.options
-		fullname = ""
-		for name in parts:
-			fullname += '.' + name if len(fullname) else name
+		for i, name in enumerate(path, 1):
 			option = next((x for x in options if x.name == name and x.section), None)
 			if not option:
 				if not create:
 					break
-				option = ConfigOption(fullname, section = True)
+				option = ConfigOption(path[:i], section = True)
 				options.append(option)
 				if self.sort:
 					options.sort()
@@ -169,7 +181,7 @@ class Parser:
 
 	def get_option(self, name):
 		"""Retrieves the option with the given name"""
-		return self.__get_option(name.split('.'))
+		return self.__get_option(self.__split_name(name))
 
 class TagReplacer:
 	"""Replaces formatting tags in text"""
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index b55d429a7..5ca61a8e8 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -20,6 +20,9 @@ charon {
     # Number of half-open IKE_SAs that activate the cookie mechanism.
     # cookie_threshold = 10
 
+    # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+    # delete_rekeyed = no
+
     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
     # strength.
     # dh_exponent_ansi_x9_42 = yes
@@ -44,6 +47,9 @@ charon {
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
+    # Whether to follow IKEv2 redirects (RFC 5685).
+    # follow_redirects = yes
+
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
     # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
     # address family specific        default values). If specified this limit is
@@ -188,7 +194,7 @@ charon {
     # DNS resolution failed), 0 to disable retries.
     # retry_initiate_interval = 0
 
-    # Initiate CHILD_SA within existing IKE_SAs.
+    # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
     # reuse_ikesa = yes
 
     # Numerical routing table to install routes to.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 816f3250c..86279ec83 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -61,6 +61,14 @@ charon.crypto_test.required = no
 charon.crypto_test.rng_true = no
 	Whether to test RNG with TRUE quality; requires a lot of entropy.
 
+charon.delete_rekeyed = no
+	Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+
+	Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+	Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
+	However, this might cause problems with implementations that continue to
+	use rekeyed SAs until they expire.
+
 charon.dh_exponent_ansi_x9_42 = yes
 	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 	strength.
@@ -89,6 +97,9 @@ charon.flush_auth_cfg = no
 	this might conflict with plugins that later need access to e.g. the used
 	certificates.
 
+charon.follow_redirects = yes
+	Whether to follow IKEv2 redirects (RFC 5685).
+
 charon.fragment_size = 0
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
 	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
@@ -283,7 +294,7 @@ charon.retry_initiate_interval = 0
 	resolution failed), 0 to disable retries.
 
 charon.reuse_ikesa = yes
-	Initiate CHILD_SA within existing IKE_SAs.
+	Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
 
 charon.routing_table
 	Numerical routing table to install routes to.
diff --git a/conf/plugins/p-cscf.conf b/conf/plugins/p-cscf.conf
new file mode 100644
index 000000000..5225a7ce6
--- /dev/null
+++ b/conf/plugins/p-cscf.conf
@@ -0,0 +1,18 @@
+p-cscf {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Section to enable requesting P-CSCF server addresses for individual
+    # connections.
+    enable {
+
+        # <conn> is the name of a connection with an ePDG from which to request
+        # P-CSCF server addresses.
+        # <conn> = no
+
+    }
+
+}
+
diff --git a/conf/plugins/p-cscf.opt b/conf/plugins/p-cscf.opt
new file mode 100644
index 000000000..ec7f8153f
--- /dev/null
+++ b/conf/plugins/p-cscf.opt
@@ -0,0 +1,11 @@
+charon.plugins.p-cscf.enable {}
+	Section to enable requesting P-CSCF server addresses for individual
+	connections.
+
+charon.plugins.p-cscf.enable.<conn> = no
+	<conn> is the name of a connection with an ePDG from which to request
+	P-CSCF server addresses.
+
+	<conn> is the name of a connection with an ePDG from which to request
+	P-CSCF server addresses.  Requests will be sent for addresses of the same
+	families for which internal IPs are requested.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 633588325..e6a502952 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -97,6 +97,13 @@ Strictly require at least one test vector to enable an algorithm.
 Whether to test RNG with TRUE quality; requires a lot of entropy.
 
 .TP
+.BR charon.delete_rekeyed " [no]"
+Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces
+the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However,
+this might cause problems with implementations that continue to use rekeyed SAs
+until they expire.
+
+.TP
 .BR charon.dh_exponent_ansi_x9_42 " [yes]"
 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 strength.
@@ -177,6 +184,10 @@ are released to free memory once an IKE_SA is established. Enabling this might
 conflict with plugins that later need access to e.g. the used certificates.
 
 .TP
+.BR charon.follow_redirects " [yes]"
+Whether to follow IKEv2 redirects (RFC 5685).
+
+.TP
 .BR charon.fragment_size " [0]"
 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
 using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address
@@ -1191,6 +1202,17 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
 Whether DNS servers are appended to existing entries, instead of replacing them.
 
 .TP
+.B charon.plugins.p-cscf.enable
+.br
+Section to enable requesting P\-CSCF server addresses for individual connections.
+
+.TP
+.BR charon.plugins.p-cscf.enable.<conn> " [no]"
+<conn> is the name of a connection with an ePDG from which to request P\-CSCF
+server addresses.  Requests will be sent for addresses of the same families for
+which internal IPs are requested.
+
+.TP
 .BR charon.plugins.pkcs11.load_certs " [yes]"
 Whether to load certificates from tokens.
 
@@ -1572,7 +1594,7 @@ resolution failed), 0 to disable retries.
 
 .TP
 .BR charon.reuse_ikesa " [yes]"
-Initiate CHILD_SA within existing IKE_SAs.
+Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
 
 .TP
 .BR charon.routing_table " []"