diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/Makefile.am | 5 | ||||
| -rw-r--r-- | conf/Makefile.in | 7 | ||||
| -rw-r--r-- | conf/options/aikpub2.conf | 7 | ||||
| -rw-r--r-- | conf/options/aikpub2.opt | 2 | ||||
| -rw-r--r-- | conf/options/charon.conf | 9 | ||||
| -rw-r--r-- | conf/options/charon.opt | 20 | ||||
| -rw-r--r-- | conf/plugins/addrblock.conf | 11 | ||||
| -rw-r--r-- | conf/plugins/addrblock.opt | 8 | ||||
| -rw-r--r-- | conf/plugins/bypass-lan.conf | 17 | ||||
| -rw-r--r-- | conf/plugins/bypass-lan.opt | 8 | ||||
| -rw-r--r-- | conf/plugins/kernel-netlink.conf | 6 | ||||
| -rw-r--r-- | conf/plugins/kernel-netlink.opt | 17 | ||||
| -rw-r--r-- | conf/plugins/pkcs11.conf | 16 | ||||
| -rw-r--r-- | conf/plugins/pkcs11.opt | 10 | ||||
| -rw-r--r-- | conf/plugins/revocation.conf | 14 | ||||
| -rw-r--r-- | conf/plugins/revocation.opt | 7 | ||||
| -rw-r--r-- | conf/plugins/tpm.conf | 11 | ||||
| -rw-r--r-- | conf/plugins/tpm.opt | 2 | ||||
| -rw-r--r-- | conf/strongswan.conf.5.main | 86 |
19 files changed, 238 insertions, 25 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index 4588b0999..eb5c9c2eb 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -9,7 +9,6 @@ pluginstemplatedir = $(templatesdir)/plugins options = \ options/aikgen.opt \ - options/aikpub2.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ @@ -28,10 +27,12 @@ options = \ options/tnc.opt plugins = \ + plugins/addrblock.opt \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ plugins/bliss.opt \ + plugins/bypass-lan.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -80,6 +81,7 @@ plugins = \ plugins/radattr.opt \ plugins/random.opt \ plugins/resolve.opt \ + plugins/revocation.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ @@ -90,6 +92,7 @@ plugins = \ plugins/tnc-pdp.opt \ plugins/tnccs-11.opt \ plugins/tnccs-20.opt \ + plugins/tpm.opt \ plugins/unbound.opt \ plugins/updown.opt \ plugins/vici.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index e6d66a25a..70e1b01ec 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -312,7 +312,6 @@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -347,6 +346,7 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -407,7 +407,6 @@ optionstemplatedir = $(templatesdir)/strongswan.d pluginstemplatedir = $(templatesdir)/plugins options = \ options/aikgen.opt \ - options/aikpub2.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ @@ -426,10 +425,12 @@ options = \ options/tnc.opt plugins = \ + plugins/addrblock.opt \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ plugins/bliss.opt \ + plugins/bypass-lan.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -478,6 +479,7 @@ plugins = \ plugins/radattr.opt \ plugins/random.opt \ plugins/resolve.opt \ + plugins/revocation.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ @@ -488,6 +490,7 @@ plugins = \ plugins/tnc-pdp.opt \ plugins/tnccs-11.opt \ plugins/tnccs-20.opt \ + plugins/tpm.opt \ plugins/unbound.opt \ plugins/updown.opt \ plugins/vici.opt \ diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf deleted file mode 100644 index fd48f2c7a..000000000 --- a/conf/options/aikpub2.conf +++ /dev/null @@ -1,7 +0,0 @@ -aikpub2 { - - # Plugins to load in aikpub2 tool. - # load = - -} - diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt deleted file mode 100644 index 6a755d211..000000000 --- a/conf/options/aikpub2.opt +++ /dev/null @@ -1,2 +0,0 @@ -aikpub2.load = - Plugins to load in aikpub2 tool. diff --git a/conf/options/charon.conf b/conf/options/charon.conf index f72041e6a..1b5d52d02 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -164,6 +164,9 @@ charon { # will be allocated. # port_nat_t = 4500 + # Wether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + # Prefer locally configured proposals for IKE/IPsec over supplied ones as # responder (disabling this can avoid keying retries due to # INVALID_KE_PAYLOAD notifies). @@ -236,6 +239,12 @@ charon { # Whether to enable constraints against IKEv2 signature schemes. # signature_authentication_constraints = yes + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + # Number of worker threads in charon. # threads = 16 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 6e0b37c57..4c4311e81 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -260,6 +260,16 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_best_path = no + Wether to prefer updating SAs to the path with the best route. + + By default, charon keeps SAs on the routing path with addresses it + previously used if that path is still usable. By setting this option to + yes, it tries more aggressively to update SAs with MOBIKE on routing + priority changes using the cheapest path. This adds more noise, but allows + to dynamically adapt SAs to routing priority changes. This option has no + effect if MOBIKE is not supported or disabled. + charon.prefer_configured_proposals = yes Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD @@ -340,6 +350,16 @@ charon.signature_authentication_constraints = yes certificate chain, are also used as constraints against the signature scheme used by peers during IKEv2. +charon.spi_min = 0xc0000000 + The lower limit for SPIs requested from the kernel for IPsec SAs. + + The lower limit for SPIs requested from the kernel for IPsec SAs. Should not + be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved + by IANA. + +charon.spi_max = 0xcfffffff + The upper limit for SPIs requested from the kernel for IPsec SAs. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. diff --git a/conf/plugins/addrblock.conf b/conf/plugins/addrblock.conf new file mode 100644 index 000000000..274961341 --- /dev/null +++ b/conf/plugins/addrblock.conf @@ -0,0 +1,11 @@ +addrblock { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to strictly require addrblock extension in subject certificates. + # strict = yes + +} + diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt new file mode 100644 index 000000000..e35e4c5ad --- /dev/null +++ b/conf/plugins/addrblock.opt @@ -0,0 +1,8 @@ +charon.plugins.addrblock.strict = yes + Whether to strictly require addrblock extension in subject certificates. + + If set to yes, a subject certificate without an addrblock extension is + rejected if the issuer certificate has such an addrblock extension. If set + to no, subject certificates issued without the addrblock extension are + accepted without any traffic selector checks and no policy is enforced + by the plugin. diff --git a/conf/plugins/bypass-lan.conf b/conf/plugins/bypass-lan.conf new file mode 100644 index 000000000..ad496db67 --- /dev/null +++ b/conf/plugins/bypass-lan.conf @@ -0,0 +1,17 @@ +bypass-lan { + + # A comma-separated list of network interfaces for which connected subnets + # should be ignored, if interfaces_use is specified this option has no + # effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces for which connected subnets + # should be considered. All other interfaces are ignored. + # interfaces_use = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/bypass-lan.opt b/conf/plugins/bypass-lan.opt new file mode 100644 index 000000000..8c72facde --- /dev/null +++ b/conf/plugins/bypass-lan.opt @@ -0,0 +1,8 @@ +charon.plugins.bypass-lan.interfaces_ignore + A comma-separated list of network interfaces for which connected subnets + should be ignored, if **interfaces_use** is specified this option has no + effect. + +charon.plugins.bypass-lan.interfaces_use + A comma-separated list of network interfaces for which connected subnets + should be considered. All other interfaces are ignored. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 47f7d58bc..22d94ee38 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -3,6 +3,9 @@ kernel-netlink { # Buffer size for received Netlink messages. # buflen = <min(PAGE_SIZE, 8192)> + # Force maximum Netlink receive buffer on Netlink socket. + # force_receive_buffer_size = no + # Firewall mark to set on the routing rule that directs traffic to our # routing table. # fwmark = @@ -32,6 +35,9 @@ kernel-netlink { # Whether to use port or socket based IKE XFRM bypass policies. # port_bypass = no + # Maximum Netlink socket receive buffer in bytes. + # receive_buffer_size = 0 + # Number of Netlink message retransmissions to send on timeout. # retries = 0 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 77ba6ea97..1136af1be 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -1,6 +1,14 @@ charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)> Buffer size for received Netlink messages. +charon.plugins.kernel-netlink.force_receive_buffer_size = no + Force maximum Netlink receive buffer on Netlink socket. + + If the maximum Netlink socket receive buffer in bytes set by + _receive_buffer_size_ exceeds the system-wide maximum from + /proc/sys/net/core/rmem_max, this option can be used to override the limit. + Enabling this option requires special priviliges (CAP_NET_ADMIN). + charon.plugins.kernel-netlink.fwmark = Firewall mark to set on the routing rule that directs traffic to our routing table. @@ -39,6 +47,15 @@ charon.plugins.kernel-netlink.port_bypass = no port based policies use global XFRM bypass policies for the used IKE UDP ports. +charon.plugins.kernel-netlink.receive_buffer_size = 0 + Maximum Netlink socket receive buffer in bytes. + + Maximum Netlink socket receive buffer in bytes. This value controls how many + bytes of Netlink messages can be received on a Netlink socket. The default + value is set by /proc/sys/net/core/rmem_default. The specified value cannot + exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless + _force_receive_buffer_size_ is enabled. + charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf index 35248c2ce..c786a9abb 100644 --- a/conf/plugins/pkcs11.conf +++ b/conf/plugins/pkcs11.conf @@ -4,9 +4,6 @@ pkcs11 { # priority of this plugin. load = yes - # Whether to load certificates from tokens. - # load_certs = yes - # Reload certificates from all tokens if charon receives a SIGHUP. # reload_certs = no @@ -31,6 +28,19 @@ pkcs11 { # List of available PKCS#11 modules. modules { + <name> { + + # Whether to automatically load certificates from tokens. + # load_certs = yes + + # Whether OS locking should be enabled for this module. + # os_locking = no + + # Full path to the shared object file of this PKCS#11 module. + # path = + + } + } } diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt index f5a202844..8f328f087 100644 --- a/conf/plugins/pkcs11.opt +++ b/conf/plugins/pkcs11.opt @@ -1,8 +1,14 @@ charon.plugins.pkcs11.modules {} List of available PKCS#11 modules. -charon.plugins.pkcs11.load_certs = yes - Whether to load certificates from tokens. +charon.plugins.pkcs11.modules.<name>.path = + Full path to the shared object file of this PKCS#11 module. + +charon.plugins.pkcs11.modules.<name>.os_locking = no + Whether OS locking should be enabled for this module. + +charon.plugins.pkcs11.modules.<name>.load_certs = yes + Whether to automatically load certificates from tokens. charon.plugins.pkcs11.reload_certs = no Reload certificates from all tokens if charon receives a SIGHUP. diff --git a/conf/plugins/revocation.conf b/conf/plugins/revocation.conf new file mode 100644 index 000000000..ca24a640d --- /dev/null +++ b/conf/plugins/revocation.conf @@ -0,0 +1,14 @@ +revocation { + + # Whether CRL validation should be enabled. + # enable_crl = yes + + # Whether OCSP validation should be enabled. + # enable_ocsp = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt new file mode 100644 index 000000000..5d2b8c026 --- /dev/null +++ b/conf/plugins/revocation.opt @@ -0,0 +1,7 @@ +charon.plugins.revocation.enable_ocsp = yes + Whether OCSP validation should be enabled. + +charon.plugins.revocation.enable_crl = yes + Whether CRL validation should be enabled. + + diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf new file mode 100644 index 000000000..222bb7b0a --- /dev/null +++ b/conf/plugins/tpm.conf @@ -0,0 +1,11 @@ +tpm { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether the TPM should be used as RNG. + # use_rng = no + +} + diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt new file mode 100644 index 000000000..cd666dde8 --- /dev/null +++ b/conf/plugins/tpm.opt @@ -0,0 +1,2 @@ +charon.plugins.tpm.use_rng = no + Whether the TPM should be used as RNG. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index c0ecbb7ce..72ab3a77a 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -3,10 +3,6 @@ Plugins to load in ipsec aikgen tool. .TP -.BR aikpub2.load " []" -Plugins to load in aikpub2 tool. - -.TP .BR attest.database " []" File measurement information database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly. @@ -402,6 +398,13 @@ WINS servers assigned to peer via configuration payload (CP). WINS servers assigned to peer via configuration payload (CP). .TP +.BR charon.plugins.addrblock.strict " [yes]" +If set to yes, a subject certificate without an addrblock extension is rejected +if the issuer certificate has such an addrblock extension. If set to no, subject +certificates issued without the addrblock extension are accepted without any +traffic selector checks and no policy is enforced by the plugin. + +.TP .BR charon.plugins.android_log.loglevel " [1]" Loglevel for logging to Android specific logger. @@ -442,6 +445,18 @@ Enable logging of SQL IP pool leases. Use the enhanced BLISS\-B key generation and signature algorithm. .TP +.BR charon.plugins.bypass-lan.interfaces_ignore " []" +A comma\-separated list of network interfaces for which connected subnets should +be ignored, if +.RB "" "interfaces_use" "" +is specified this option has no effect. + +.TP +.BR charon.plugins.bypass-lan.interfaces_use " []" +A comma\-separated list of network interfaces for which connected subnets should +be considered. All other interfaces are ignored. + +.TP .BR charon.plugins.certexpire.csv.cron " []" Cron style string specifying CSV export times. @@ -922,6 +937,14 @@ to circumvent that problem. Buffer size for received Netlink messages. .TP +.BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]" +If the maximum Netlink socket receive buffer in bytes set by +.RI "" "receive_buffer_size" "" +exceeds the system\-wide maximum from +/proc/sys/net/core/rmem_max, this option can be used to override the limit. +Enabling this option requires special priviliges (CAP_NET_ADMIN). + +.TP .BR charon.plugins.kernel-netlink.fwmark " []" Firewall mark to set on the routing rule that directs traffic to our routing table. The format is [!]mark[/mask], where the optional exclamation mark inverts @@ -962,6 +985,15 @@ based policies are directly tied to the IKE UDP sockets, port based policies use global XFRM bypass policies for the used IKE UDP ports. .TP +.BR charon.plugins.kernel-netlink.receive_buffer_size " [0]" +Maximum Netlink socket receive buffer in bytes. This value controls how many +bytes of Netlink messages can be received on a Netlink socket. The default value +is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the +system\-wide maximum from /proc/sys/net/core/rmem_max, unless +.RI "" "force_receive_buffer_size" "" +is enabled. + +.TP .BR charon.plugins.kernel-netlink.retries " [0]" Number of Netlink message retransmissions to send on timeout. @@ -1264,15 +1296,23 @@ server addresses. Requests will be sent for addresses of the same families for which internal IPs are requested. .TP -.BR charon.plugins.pkcs11.load_certs " [yes]" -Whether to load certificates from tokens. - -.TP .B charon.plugins.pkcs11.modules .br List of available PKCS#11 modules. .TP +.BR charon.plugins.pkcs11.modules.<name>.load_certs " [yes]" +Whether to automatically load certificates from tokens. + +.TP +.BR charon.plugins.pkcs11.modules.<name>.os_locking " [no]" +Whether OS locking should be enabled for this module. + +.TP +.BR charon.plugins.pkcs11.modules.<name>.path " []" +Full path to the shared object file of this PKCS#11 module. + +.TP .BR charon.plugins.pkcs11.reload_certs " [no]" Reload certificates from all tokens if charon receives a SIGHUP. @@ -1338,6 +1378,14 @@ should have a high priority according to the order defined in .TP +.BR charon.plugins.revocation.enable_crl " [yes]" +Whether CRL validation should be enabled. + +.TP +.BR charon.plugins.revocation.enable_ocsp " [yes]" +Whether OCSP validation should be enabled. + +.TP .BR charon.plugins.socket-default.fwmark " []" Firewall mark to set on outbound packets. @@ -1523,6 +1571,10 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set. Send a PB\-TNC batch with a modified PB\-TNC version. .TP +.BR charon.plugins.tpm.use_rng " [no]" +Whether the TPM should be used as RNG. + +.TP .BR charon.plugins.unbound.dlv_anchors " []" File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses the same format as @@ -1588,6 +1640,15 @@ otherwise a random port will be allocated. .TP +.BR charon.prefer_best_path " [no]" +By default, charon keeps SAs on the routing path with addresses it previously +used if that path is still usable. By setting this option to yes, it tries more +aggressively to update SAs with MOBIKE on routing priority changes using the +cheapest path. This adds more noise, but allows to dynamically adapt SAs to +routing priority changes. This option has no effect if MOBIKE is not supported +or disabled. + +.TP .BR charon.prefer_configured_proposals " [yes]" Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD @@ -1695,6 +1756,15 @@ are also used as constraints against the signature scheme used by peers during IKEv2. .TP +.BR charon.spi_max " [0xcfffffff]" +The upper limit for SPIs requested from the kernel for IPsec SAs. + +.TP +.BR charon.spi_min " [0xc0000000]" +The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be +set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA. + +.TP .B charon.start-scripts .br Section containing a list of scripts (name = path) that are executed when the |