Imported Upstream version 5.0.3

6 files changed, 188 insertions, 37 deletions

diff --git a/man/Makefile.in b/man/Makefile.in
index e313a4fff..daebe3b90 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -54,6 +71,11 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -99,6 +121,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -115,6 +139,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -183,8 +208,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -240,7 +263,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -320,11 +342,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man5: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man5dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.5[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index e24196c2b..554a6e8ca 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.3rc1" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -452,6 +452,11 @@ suites, the strict flag
 exclamation mark) can be used, e.g:
 .BR aes256-sha512-modp4096!
 .TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
 is required only if selecting the certificate with
 .B leftid
 is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 2766cc4ed..e778ab773 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -452,6 +452,11 @@ suites, the strict flag
 exclamation mark) can be used, e.g:
 .BR aes256-sha512-modp4096!
 .TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
 is required only if selecting the certificate with
 .B leftid
 is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 127f18f20..0948e5cc9 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.3rc1" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 8a34a7f93..34dfde735 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.3" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -416,6 +416,10 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
 .BR charon.plugins.eap-radius.dae.enable " [no]"
 Enables support for the Dynamic Authorization Extension (RFC 5176)
 .TP
@@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP
@@ -569,6 +577,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.ha.segment_count " [1]"
 
 .TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
+.TP
 .BR charon.plugins.led.activity_led
 
 .TP
@@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
 .BR charon.plugins.tnccs-11.max_message_size " [45000]"
 Maximum size of a PA-TNC message (XML & Base64 encoding)
 .TP
@@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
 .BR charon.plugins.tnccs-20.max_message_size " [65490]"
 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
 .TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
 .TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
 .TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
 .TP
 .BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
 .TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
-.TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
 .TP
 .BR charon.plugins.tnc-imc.dlclose " [yes]"
 Unload IMC after use
@@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS
 .BR charon.plugins.tnc-pdp.server
 Name of the strongSwan PDP as contained in the AAA certificate
 .TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
 .BR charon.plugins.updown.dns_handler " [no]"
 Whether the updown script should handle DNS serves assigned via IKEv1 Mode
 Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -776,6 +808,12 @@ File to read random bytes from, instead of /dev/random
 .TP
 .BR libstrongswan.plugins.random.urandom " [/dev/urandom]"
 File to read pseudo random bytes from, instead of /dev/urandom
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user.
 Subsection that contains key/value pairs with address pools (in CIDR notation)
 to use for a specific network interface e.g. eth0 = 10.10.0.0/16
 .TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
 .BR charon.plugins.load-tester.addrs_prefix " [16]"
 Network prefix length to use when installing dynamic addresses. If set to -1 the
 full address is used (i.e. 32 or 128)
@@ -1330,6 +1371,9 @@ EAP secret to use in load test
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
 .BR charon.plugins.load-tester.fake_kernel " [no]"
 Fake the kernel interface to allow load-testing against self
 .TP
@@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses
 Initiator ID used in load test
 .TP
 .BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
 .TP
 .BR charon.plugins.load-tester.initiator_tsi
 Traffic selector on initiator side, as proposed by initiator
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 2fafed62d..d483addbd 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -416,6 +416,10 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
 .BR charon.plugins.eap-radius.dae.enable " [no]"
 Enables support for the Dynamic Authorization Extension (RFC 5176)
 .TP
@@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP
@@ -569,6 +577,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.ha.segment_count " [1]"
 
 .TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
+.TP
 .BR charon.plugins.led.activity_led
 
 .TP
@@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
 .BR charon.plugins.tnccs-11.max_message_size " [45000]"
 Maximum size of a PA-TNC message (XML & Base64 encoding)
 .TP
@@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
 .BR charon.plugins.tnccs-20.max_message_size " [65490]"
 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
 .TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
 .TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
 .TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
 .TP
 .BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
 .TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
-.TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
 .TP
 .BR charon.plugins.tnc-imc.dlclose " [yes]"
 Unload IMC after use
@@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS
 .BR charon.plugins.tnc-pdp.server
 Name of the strongSwan PDP as contained in the AAA certificate
 .TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
 .BR charon.plugins.updown.dns_handler " [no]"
 Whether the updown script should handle DNS serves assigned via IKEv1 Mode
 Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -776,6 +808,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
 .TP
 .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
 File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user.
 Subsection that contains key/value pairs with address pools (in CIDR notation)
 to use for a specific network interface e.g. eth0 = 10.10.0.0/16
 .TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
 .BR charon.plugins.load-tester.addrs_prefix " [16]"
 Network prefix length to use when installing dynamic addresses. If set to -1 the
 full address is used (i.e. 32 or 128)
@@ -1330,6 +1371,9 @@ EAP secret to use in load test
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
 .BR charon.plugins.load-tester.fake_kernel " [no]"
 Fake the kernel interface to allow load-testing against self
 .TP
@@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses
 Initiator ID used in load test
 .TP
 .BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
 .TP
 .BR charon.plugins.load-tester.initiator_tsi
 Traffic selector on initiator side, as proposed by initiator