diff options
Diffstat (limited to 'conf')
44 files changed, 421 insertions, 327 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index 61a0add4d..373be1631 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -8,6 +8,7 @@ optionstemplatedir = $(templatesdir)/strongswan.d pluginstemplatedir = $(templatesdir)/plugins options = \ + options/aikgen.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ @@ -15,10 +16,12 @@ options = \ options/manager.opt \ options/medsrv.opt \ options/pacman.opt \ + options/pki.opt \ options/pool.opt \ + options/scepclient.opt \ options/starter.opt \ - options/tnc.opt \ - options/tools.opt + options/swanctl.opt \ + options/tnc.opt plugins = \ plugins/android_log.opt \ @@ -51,10 +54,10 @@ plugins = \ plugins/imv-attestation.opt \ plugins/imv-os.opt \ plugins/imv-scanner.opt \ + plugins/imv-swid.opt \ plugins/imv-test.opt \ plugins/ipseckey.opt \ plugins/led.opt \ - plugins/kernel-klips.opt \ plugins/kernel-libipsec.opt \ plugins/kernel-netlink.opt \ plugins/kernel-pfroute.opt \ @@ -78,6 +81,7 @@ plugins = \ plugins/tnccs-20.opt \ plugins/unbound.opt \ plugins/updown.opt \ + plugins/vici.opt \ plugins/whitelist.opt \ plugins/xauth-eap.opt \ plugins/xauth-pam.opt diff --git a/conf/Makefile.in b/conf/Makefile.in index e14c44e3e..a0ad980ca 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -111,28 +111,6 @@ AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ @@ -239,6 +217,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -257,6 +236,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -284,6 +264,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -375,6 +356,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -395,6 +377,7 @@ templatesdir = $(pkgdatadir)/templates/config optionstemplatedir = $(templatesdir)/strongswan.d pluginstemplatedir = $(templatesdir)/plugins options = \ + options/aikgen.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ @@ -402,10 +385,12 @@ options = \ options/manager.opt \ options/medsrv.opt \ options/pacman.opt \ + options/pki.opt \ options/pool.opt \ + options/scepclient.opt \ options/starter.opt \ - options/tnc.opt \ - options/tools.opt + options/swanctl.opt \ + options/tnc.opt plugins = \ plugins/android_log.opt \ @@ -438,10 +423,10 @@ plugins = \ plugins/imv-attestation.opt \ plugins/imv-os.opt \ plugins/imv-scanner.opt \ + plugins/imv-swid.opt \ plugins/imv-test.opt \ plugins/ipseckey.opt \ plugins/led.opt \ - plugins/kernel-klips.opt \ plugins/kernel-libipsec.opt \ plugins/kernel-netlink.opt \ plugins/kernel-pfroute.opt \ @@ -465,6 +450,7 @@ plugins = \ plugins/tnccs-20.opt \ plugins/unbound.opt \ plugins/updown.opt \ + plugins/vici.opt \ plugins/whitelist.opt \ plugins/xauth-eap.opt \ plugins/xauth-pam.opt diff --git a/conf/format-options.py b/conf/format-options.py index fc6e6e1fd..d046e24ca 100755 --- a/conf/format-options.py +++ b/conf/format-options.py @@ -67,8 +67,8 @@ class ConfigOption: self.desc = [] self.options = [] - def __cmp__(self, other): - return cmp(self.name, other.name) + def __lt__(self, other): + return self.name < other.name def add_paragraph(self): """Adds a new paragraph to the description""" @@ -92,8 +92,9 @@ class ConfigOption: class Parser: """Parses one or more files of configuration options""" - def __init__(self): + def __init__(self, sort = True): self.options = [] + self.sort = sort def parse(self, file): """Parses the given file and adds all options to the internal store""" @@ -145,7 +146,8 @@ class Parser: found.adopt(option) else: parent.options.append(option) - parent.options.sort() + if self.sort: + parent.options.sort() def __get_option(self, parts, create = False): """Searches/Creates the option (section) based on a list of section names""" @@ -160,7 +162,8 @@ class Parser: break option = ConfigOption(fullname, section = True) options.append(option) - options.sort() + if self.sort: + options.sort() options = option.options return option @@ -227,31 +230,32 @@ class ConfFormatter: if len(opt.desc): self.__wrapper.initial_indent = '{0}# '.format(self.__indent * indent) self.__wrapper.subsequent_indent = self.__wrapper.initial_indent - print format(self.__wrapper.fill(self.__tags.replace(opt.desc[0]))) + print(self.__wrapper.fill(self.__tags.replace(opt.desc[0]))) def __print_option(self, opt, indent, commented): """Print a single option with description and default value""" comment = "# " if commented or opt.commented else "" self.__print_description(opt, indent) if opt.default: - print '{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default) + print('{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default)) else: - print '{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name) - print + print('{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name)) + print('') def __print_section(self, section, indent, commented): """Print a section with all options""" - comment = "# " if commented or section.commented else "" + commented = commented or section.commented + comment = "# " if commented else "" self.__print_description(section, indent) - print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name) - print + print('{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)) + print('') for o in sorted(section.options, key=attrgetter('section')): if o.section: - self.__print_section(o, indent + 1, section.commented) + self.__print_section(o, indent + 1, commented) else: - self.__print_option(o, indent + 1, section.commented) - print '{0}{1}}}'.format(self.__indent * indent, comment) - print + self.__print_option(o, indent + 1, commented) + print('{0}{1}}}'.format(self.__indent * indent, comment)) + print('') def format(self, options): """Print a list of options""" @@ -282,14 +286,14 @@ class ManFormatter: if option.section and not len(option.desc): return if option.section: - print '.TP\n.B {0}\n.br'.format(option.fullname) + print('.TP\n.B {0}\n.br'.format(option.fullname)) else: - print '.TP' + print('.TP') default = option.default if option.default else '' - print '.BR {0} " [{1}]"'.format(option.fullname, default) + print('.BR {0} " [{1}]"'.format(option.fullname, default)) for para in option.desc if len(option.desc) < 2 else option.desc[1:]: - print self.__groffize(self.__wrapper.fill(para)) - print '' + print(self.__groffize(self.__wrapper.fill(para))) + print('') def format(self, options): """Print a list of options""" @@ -309,9 +313,12 @@ options.add_option("-f", "--format", dest="format", type="choice", choices=["con options.add_option("-r", "--root", dest="root", metavar="NAME", help="root section of which options are printed, " "if not found everything is printed") +options.add_option("-n", "--nosort", action="store_false", dest="sort", + default=True, help="do not sort sections alphabetically") + (opts, args) = options.parse_args() -parser = Parser() +parser = Parser(opts.sort) if len(args): for filename in args: try: diff --git a/conf/options/aikgen.conf b/conf/options/aikgen.conf new file mode 100644 index 000000000..10d362f1d --- /dev/null +++ b/conf/options/aikgen.conf @@ -0,0 +1,7 @@ +aikgen { + + # Plugins to load in ipsec aikgen tool. + # load = + +} + diff --git a/conf/options/aikgen.opt b/conf/options/aikgen.opt new file mode 100644 index 000000000..2d33947fd --- /dev/null +++ b/conf/options/aikgen.opt @@ -0,0 +1,2 @@ +aikgen.load = + Plugins to load in ipsec aikgen tool. diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 5cab2b1c4..ec3a39a40 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -1,6 +1,9 @@ # Options for the charon IKE daemon. charon { + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 @@ -131,6 +134,11 @@ charon { # will be allocated. # port_nat_t = 4500 + # By default public IPv6 addresses are preferred over temporary ones (RFC + # 4941), to make connections more stable. Enable this option to reverse + # this. + # prefer_temporary_addrs = no + # Process RTM_NEWROUTE and RTM_DELROUTE events. # process_route = yes @@ -254,6 +262,18 @@ charon { } + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + tls { # List of TLS encryption ciphers. diff --git a/conf/options/charon.opt b/conf/options/charon.opt index c6f4f1e9e..1eb1b8877 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -8,6 +8,21 @@ charon {} **charon-cmd** instead of **charon**). For many options defaults can be defined in the **libstrongswan** section. +charon.accept_unencrypted_mainmode_messages = no + Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + + Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + + Some implementations send the third Main Mode message unencrypted, probably + to find the PSKs for the specified ID for authentication. This is very + similar to Aggressive Mode, and has the same security implications: A + passive attacker can sniff the negotiated Identity, and start brute forcing + the PSK using the HASH payload. + + It is recommended to keep this option to no, unless you know exactly + what the implications are and require compatibility to such devices (for + example, some SonicWall boxes). + charon.block_threshold = 5 Maximum number of half-open IKE_SAs for a single peer IP. @@ -196,6 +211,10 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_temporary_addrs = no + By default public IPv6 addresses are preferred over temporary ones (RFC + 4941), to make connections more stable. Enable this option to reverse this. + charon.process_route = yes Process RTM_NEWROUTE and RTM_DELROUTE events. @@ -256,6 +275,14 @@ charon.send_delay_type = 0 charon.send_vendor_id = no Send strongSwan vendor ID payload +charon.start-scripts {} + Section containing a list of scripts (name = path) that are executed when + the daemon is started. + +charon.stop-scripts {} + Section containing a list of scripts (name = path) that are executed when + the daemon is terminated. + charon.threads = 16 Number of worker threads in charon. diff --git a/conf/options/pki.conf b/conf/options/pki.conf new file mode 100644 index 000000000..f64a091a5 --- /dev/null +++ b/conf/options/pki.conf @@ -0,0 +1,7 @@ +pki { + + # Plugins to load in ipsec pki tool. + # load = + +} + diff --git a/conf/options/pki.opt b/conf/options/pki.opt new file mode 100644 index 000000000..c57dcc8c5 --- /dev/null +++ b/conf/options/pki.opt @@ -0,0 +1,2 @@ +pki.load = + Plugins to load in ipsec pki tool. diff --git a/conf/options/tools.conf b/conf/options/scepclient.conf index 781635ceb..0b1a13187 100644 --- a/conf/options/tools.conf +++ b/conf/options/scepclient.conf @@ -1,10 +1,3 @@ -pki { - - # Plugins to load in ipsec pki tool. - # load = - -} - scepclient { # Plugins to load in ipsec scepclient tool. diff --git a/conf/options/tools.opt b/conf/options/scepclient.opt index 72a49de28..7e30f5cd3 100644 --- a/conf/options/tools.opt +++ b/conf/options/scepclient.opt @@ -1,5 +1,2 @@ -pki.load = - Plugins to load in ipsec pki tool. - scepclient.load = Plugins to load in ipsec scepclient tool. diff --git a/conf/options/swanctl.conf b/conf/options/swanctl.conf new file mode 100644 index 000000000..cb182396b --- /dev/null +++ b/conf/options/swanctl.conf @@ -0,0 +1,7 @@ +swanctl { + + # Plugins to load in swanctl. + # load = + +} + diff --git a/conf/options/swanctl.opt b/conf/options/swanctl.opt new file mode 100644 index 000000000..f78b4bccc --- /dev/null +++ b/conf/options/swanctl.opt @@ -0,0 +1,2 @@ +swanctl.load = + Plugins to load in swanctl.
\ No newline at end of file diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf index aca72f1ed..27ef1366d 100644 --- a/conf/plugins/eap-tnc.conf +++ b/conf/plugins/eap-tnc.conf @@ -9,7 +9,7 @@ eap-tnc { # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, # tnccs-dynamic). - # protocol = tnccs-1.1 + # protocol = tnccs-2.0 } diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt index 8e060ceda..559315240 100644 --- a/conf/plugins/eap-tnc.opt +++ b/conf/plugins/eap-tnc.opt @@ -1,6 +1,6 @@ charon.plugins.eap-tnc.max_message_count = 10 Maximum number of processed EAP-TNC packets (0 = no limit). -charon.plugins.eap-tnc.protocol = tnccs-1.1 +charon.plugins.eap-tnc.protocol = tnccs-2.0 IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_, _tnccs-dynamic_). diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf index 5229625e0..0614dcb3c 100644 --- a/conf/plugins/eap-ttls.conf +++ b/conf/plugins/eap-ttls.conf @@ -23,6 +23,9 @@ eap-ttls { # Start phase2 EAP TNC protocol after successful client authentication. # phase2_tnc = no + # Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc) + # phase2_tnc_method = pt + # Request peer authentication based on a client certificate. # request_peer_auth = no diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt index 21a6cb674..7dcee82b2 100644 --- a/conf/plugins/eap-ttls.opt +++ b/conf/plugins/eap-ttls.opt @@ -16,5 +16,8 @@ charon.plugins.eap-ttls.phase2_piggyback = no charon.plugins.eap-ttls.phase2_tnc = no Start phase2 EAP TNC protocol after successful client authentication. +charon.plugins.eap-ttls.phase2_tnc_method = pt + Phase2 EAP TNC transport protocol (_pt_ as IETF standard or legacy _tnc_) + charon.plugins.eap-ttls.request_peer_auth = no Request peer authentication based on a client certificate. diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf index 2d8deaa8e..eed706fb8 100644 --- a/conf/plugins/imc-attestation.conf +++ b/conf/plugins/imc-attestation.conf @@ -1,29 +1,8 @@ imc-attestation { - # AIK encrypted private key blob file. - # aik_blob = - - # AIK certificate file. - # aik_cert = - - # AIK public key file. - # aik_key = - # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes - # Enforce mandatory Diffie-Hellman groups. - # mandatory_dh_groups = yes - - # DH nonce length. - # nonce_len = 20 - - # Whether to send pcr_before and pcr_after info. - # pcr_info = yes - - # Use Quote2 AIK signature instead of Quote signature. - # use_quote2 = yes - } diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt index aaac4c2c1..9b60b9ede 100644 --- a/conf/plugins/imc-attestation.opt +++ b/conf/plugins/imc-attestation.opt @@ -1,20 +1,20 @@ -charon.plugins.imc-attestation.aik_blob = +libimcv.plugins.imc-attestation.aik_blob = AIK encrypted private key blob file. -charon.plugins.imc-attestation.aik_cert = +libimcv.plugins.imc-attestation.aik_cert = AIK certificate file. -charon.plugins.imc-attestation.aik_key = +libimcv.plugins.imc-attestation.aik_pubkey = AIK public key file. -charon.plugins.imc-attestation.mandatory_dh_groups = yes +libimcv.plugins.imc-attestation.mandatory_dh_groups = yes Enforce mandatory Diffie-Hellman groups. -charon.plugins.imc-attestation.nonce_len = 20 +libimcv.plugins.imc-attestation.nonce_len = 20 DH nonce length. -charon.plugins.imc-attestation.use_quote2 = yes +libimcv.plugins.imc-attestation.use_quote2 = yes Use Quote2 AIK signature instead of Quote signature. -charon.plugins.imc-attestation.pcr_info = yes +libimcv.plugins.imc-attestation.pcr_info = no Whether to send pcr_before and pcr_after info. diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf index 1d245d3f3..56b218228 100644 --- a/conf/plugins/imc-os.conf +++ b/conf/plugins/imc-os.conf @@ -4,8 +4,5 @@ imc-os { # priority of this plugin. load = yes - # Send operating system info without being prompted. - # push_info = yes - } diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt index 2a6333f93..4f559f2b9 100644 --- a/conf/plugins/imc-os.opt +++ b/conf/plugins/imc-os.opt @@ -1,2 +1,14 @@ -charon.plugins.imc-os.push_info = yes +libimcv.plugins.imc-os.device_cert = + Manually set the path to the client device certificate + (e.g. /etc/pts/aikCert.der) + +libimcv.plugins.imc-os.device_id = + Manually set the client device ID in hexadecimal format + (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) + +libimcv.plugins.imc-os.device_pubkey = + Manually set the path to the client device public key + (e.g. /etc/pts/aikPub.der) + +libimcv.plugins.imc-os.push_info = yes Send operating system info without being prompted. diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf index 7f2f53106..fb05a0823 100644 --- a/conf/plugins/imc-scanner.conf +++ b/conf/plugins/imc-scanner.conf @@ -4,8 +4,5 @@ imc-scanner { # priority of this plugin. load = yes - # Send open listening ports without being prompted. - # push_info = yes - } diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt index 84e6dfa2f..9cc12b91d 100644 --- a/conf/plugins/imc-scanner.opt +++ b/conf/plugins/imc-scanner.opt @@ -1,2 +1,2 @@ -charon.plugins.imc-scanner.push_info = yes +libimcv.plugins.imc-scanner.push_info = yes Send open listening ports without being prompted. diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf index 8b3317163..4893703ad 100644 --- a/conf/plugins/imc-swid.conf +++ b/conf/plugins/imc-swid.conf @@ -4,8 +4,5 @@ imc-swid { # priority of this plugin. load = yes - # Directory where SWID tags are located. - # swid_directory = ${prefix}/share - } diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt index 67f7c79c4..74490c179 100644 --- a/conf/plugins/imc-swid.opt +++ b/conf/plugins/imc-swid.opt @@ -1,2 +1,11 @@ -charon.plugins.imc-swid.swid_directory = ${prefix}/share +libimcv.plugins.imc-swid.swid_directory = ${prefix}/share Directory where SWID tags are located. + +libimcv.plugins.imc-swid.swid_generator = /usr/local/bin/swid_generator + SWID generator command to be executed. + +libimcv.plugins.imc-swid.swid_pretty = FALSE + Generate XML-encoded SWID tags with pretty indentation. + +libimcv.plugins.imc-swid.swid_full = FALSE + Include file information in the XML-encoded SWID tags. diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf index 0d66e3d0c..4deac7641 100644 --- a/conf/plugins/imc-test.conf +++ b/conf/plugins/imc-test.conf @@ -1,23 +1,8 @@ imc-test { - # Number of additional IMC IDs. - # additional_ids = 0 - - # Command to be sent to the Test IMV. - # command = none - - # Size of dummy attribute to be sent to the Test IMV (0 = disabled). - # dummy_size = 0 - # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes - # Do a handshake retry. - # retry = no - - # Command to be sent to the Test IMV in the handshake retry. - # retry_command = - } diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt index c3169b5af..e15b069e8 100644 --- a/conf/plugins/imc-test.opt +++ b/conf/plugins/imc-test.opt @@ -1,14 +1,14 @@ -charon.plugins.imc-test.additional_ids = 0 +libimcv.plugins.imc-test.additional_ids = 0 Number of additional IMC IDs. -charon.plugins.imc-test.command = none +libimcv.plugins.imc-test.command = none Command to be sent to the Test IMV. -charon.plugins.imc-test.dummy_size = 0 +libimcv.plugins.imc-test.dummy_size = 0 Size of dummy attribute to be sent to the Test IMV (0 = disabled). -charon.plugins.imc-test.retry = no +libimcv.plugins.imc-test.retry = no Do a handshake retry. -charon.plugins.imc-test.retry_command = +libimcv.plugins.imc-test.retry_command = Command to be sent to the Test IMV in the handshake retry. diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf index 3a1a7f225..29a42090b 100644 --- a/conf/plugins/imv-attestation.conf +++ b/conf/plugins/imv-attestation.conf @@ -1,45 +1,8 @@ -imc-attestation { - - # Dummy data if the TBOOT log is not retrieved. - # pcr17_after = - - # Dummy data if the TBOOT log is not retrieved. - # pcr17_before = - - # Dummy data if the TBOOT log is not retrieved. - # pcr17_meas = - - # Dummy data if the TBOOT log is not retrieved. - # pcr18_after = - - # Dummy data if the TBOOT log is not retrieved. - # pcr18_before = - - # Dummy data if the TBOOT log is not retrieved. - # pcr18_meas = - -} - imv-attestation { - # Path to directory with AIK cacerts. - # cadir = - - # Preferred Diffie-Hellman group. - # dh_group = ecp256 - - # Preferred measurement hash algorithm. - # hash_algorithm = sha256 - # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes - # Enforce mandatory Diffie-Hellman groups. - # mandatory_dh_groups = yes - - # DH minimum nonce length. - # min_nonce_len = 0 - } diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt index f266281e6..3ad51625d 100644 --- a/conf/plugins/imv-attestation.opt +++ b/conf/plugins/imv-attestation.opt @@ -1,32 +1,32 @@ -charon.plugins.imv-attestation.cadir = +libimcv.plugins.imv-attestation.cadir = Path to directory with AIK cacerts. -charon.plugins.imv-attestation.mandatory_dh_groups = yes +libimcv.plugins.imv-attestation.mandatory_dh_groups = yes Enforce mandatory Diffie-Hellman groups. -charon.plugins.imv-attestation.dh_group = ecp256 +libimcv.plugins.imv-attestation.dh_group = ecp256 Preferred Diffie-Hellman group. -charon.plugins.imv-attestation.hash_algorithm = sha256 +libimcv.plugins.imv-attestation.hash_algorithm = sha256 Preferred measurement hash algorithm. -charon.plugins.imv-attestation.min_nonce_len = 0 +libimcv.plugins.imv-attestation.min_nonce_len = 0 DH minimum nonce length. -charon.plugins.imc-attestation.pcr17_after +libimcv.plugins.imc-attestation.pcr17_after Dummy data if the TBOOT log is not retrieved. -charon.plugins.imc-attestation.pcr17_before +libimcv.plugins.imc-attestation.pcr17_before Dummy data if the TBOOT log is not retrieved. -charon.plugins.imc-attestation.pcr17_meas +libimcv.plugins.imc-attestation.pcr17_meas Dummy data if the TBOOT log is not retrieved. -charon.plugins.imc-attestation.pcr18_after +libimcv.plugins.imc-attestation.pcr18_after Dummy data if the TBOOT log is not retrieved. -charon.plugins.imc-attestation.pcr18_before +libimcv.plugins.imc-attestation.pcr18_before Dummy data if the TBOOT log is not retrieved. -charon.plugins.imc-attestation.pcr18_meas +libimcv.plugins.imc-attestation.pcr18_meas Dummy data if the TBOOT log is not retrieved. diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf index 8f0da3760..f2786cc3f 100644 --- a/conf/plugins/imv-os.conf +++ b/conf/plugins/imv-os.conf @@ -4,8 +4,5 @@ imv-os { # priority of this plugin. load = yes - # URI pointing to operating system remediation instructions. - # remediation_uri = - } diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt index eab926201..fe83bb66f 100644 --- a/conf/plugins/imv-os.opt +++ b/conf/plugins/imv-os.opt @@ -1,2 +1,2 @@ -charon.plugins.imv-os.remediation_uri = +libimcv.plugins.imv-os.remediation_uri = URI pointing to operating system remediation instructions. diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf index 25719d0ef..4b9da8f08 100644 --- a/conf/plugins/imv-scanner.conf +++ b/conf/plugins/imv-scanner.conf @@ -4,8 +4,5 @@ imv-scanner { # priority of this plugin. load = yes - # URI pointing to scanner remediation instructions. - # remediation_uri = - } diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt index 7af87493b..d23c6bab9 100644 --- a/conf/plugins/imv-scanner.opt +++ b/conf/plugins/imv-scanner.opt @@ -1,2 +1,2 @@ -charon.plugins.imv-scanner.remediation_uri = +libimcv.plugins.imv-scanner.remediation_uri = URI pointing to scanner remediation instructions. diff --git a/conf/plugins/imv-swid.conf b/conf/plugins/imv-swid.conf new file mode 100644 index 000000000..bfd49bd1c --- /dev/null +++ b/conf/plugins/imv-swid.conf @@ -0,0 +1,8 @@ +imv-swid { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/imv-swid.opt b/conf/plugins/imv-swid.opt new file mode 100644 index 000000000..d451c78ce --- /dev/null +++ b/conf/plugins/imv-swid.opt @@ -0,0 +1,5 @@ +libimcv.plugins.imv-swid.rest_api_uri = + HTTP URI of the SWID REST API. + +libimcv.plugins.imv-swid.rest_api_timeout = 120 + Timeout of SWID REST API HTTP POST transaction. diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf index 9bd248792..b268765bc 100644 --- a/conf/plugins/imv-test.conf +++ b/conf/plugins/imv-test.conf @@ -4,8 +4,5 @@ imv-test { # priority of this plugin. load = yes - # Number of IMC-IMV retry rounds. - # rounds = 0 - } diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt index 2cbddc8f6..196559ed7 100644 --- a/conf/plugins/imv-test.opt +++ b/conf/plugins/imv-test.opt @@ -1,2 +1,2 @@ -charon.plugins.imv-test.rounds = 0 +libimcv.plugins.imv-test.rounds = 0 Number of IMC-IMV retry rounds. diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf deleted file mode 100644 index 10ca30839..000000000 --- a/conf/plugins/kernel-klips.conf +++ /dev/null @@ -1,14 +0,0 @@ -kernel-klips { - - # Number of ipsecN devices. - # ipsec_dev_count = 4 - - # Set MTU of ipsecN device. - # ipsec_dev_mtu = 0 - - # Whether to load the plugin. Can also be an integer to increase the - # priority of this plugin. - load = yes - -} - diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt deleted file mode 100644 index ad9806e71..000000000 --- a/conf/plugins/kernel-klips.opt +++ /dev/null @@ -1,5 +0,0 @@ -charon.plugins.kernel-klips.ipsec_dev_count = 4 - Number of ipsecN devices. - -charon.plugins.kernel-klips.ipsec_dev_mtu = 0 - Set MTU of ipsecN device. diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf index e69c029d6..17281ba73 100644 --- a/conf/plugins/load-tester.conf +++ b/conf/plugins/load-tester.conf @@ -16,6 +16,10 @@ load-tester { # Seconds to start CHILD_SA rekeying after setup. # child_rekey = 600 + # URI to a CRL to include as certificate distribution point in generated + # certificates. + # crl = + # Delay between initiatons for each thread. # delay = 0 diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt index 7afe32618..e68adecc6 100644 --- a/conf/plugins/load-tester.opt +++ b/conf/plugins/load-tester.opt @@ -20,6 +20,10 @@ charon.plugins.load-tester.ca_dir = charon.plugins.load-tester.child_rekey = 600 Seconds to start CHILD_SA rekeying after setup. +charon.plugins.load-tester.crl + URI to a CRL to include as certificate distribution point in generated + certificates. + charon.plugins.load-tester.delay = 0 Delay between initiatons for each thread. diff --git a/conf/plugins/vici.conf b/conf/plugins/vici.conf new file mode 100644 index 000000000..08fa586b4 --- /dev/null +++ b/conf/plugins/vici.conf @@ -0,0 +1,11 @@ +vici { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket the vici plugin serves clients. + # socket = unix://${piddir}/charon.vici + +} + diff --git a/conf/plugins/vici.opt b/conf/plugins/vici.opt new file mode 100644 index 000000000..0fca8739b --- /dev/null +++ b/conf/plugins/vici.opt @@ -0,0 +1,2 @@ +charon.plugins.vici.socket = unix://${piddir}/charon.vici + Socket the vici plugin serves clients. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 12fde4903..d93c208ae 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -1,4 +1,8 @@ .TP +.BR aikgen.load " []" +Plugins to load in ipsec aikgen tool. + +.TP .BR attest.database " []" File measurement information database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly. @@ -28,6 +32,20 @@ in the section. .TP +.BR charon.accept_unencrypted_mainmode_messages " [no]" +Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + +Some implementations send the third Main Mode message unencrypted, probably to +find the PSKs for the specified ID for authentication. This is very similar to +Aggressive Mode, and has the same security implications: A passive attacker can +sniff the negotiated Identity, and start brute forcing the PSK using the HASH +payload. + +It is recommended to keep this option to no, unless you know exactly what the +implications are and require compatibility to such devices (for example, some +SonicWall boxes). + +.TP .BR charon.block_threshold " [5]" Maximum number of half\-open IKE_SAs for a single peer IP. @@ -666,7 +684,7 @@ Maximum number of processed EAP\-TLS packets (0 = no limit). Maximum number of processed EAP\-TNC packets (0 = no limit). .TP -.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" +.BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]" IF\-TNCCS protocol version to be used .RI "(" "tnccs\-1.1" "," .RI "" "tnccs\-2.0" "," @@ -698,6 +716,14 @@ Phase2 EAP Identity request piggybacked by server onto TLS Finished message. Start phase2 EAP TNC protocol after successful client authentication. .TP +.BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]" +Phase2 EAP TNC transport protocol +.RI "(" "pt" "" +as IETF standard or legacy +.RI "" "tnc" ")" + + +.TP .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate. @@ -735,134 +761,10 @@ to 0 to disable. .TP .BR charon.plugins.ha.segment_count " [1]" .TP -.BR charon.plugins.imc-attestation.aik_blob " []" -AIK encrypted private key blob file. - -.TP -.BR charon.plugins.imc-attestation.aik_cert " []" -AIK certificate file. - -.TP -.BR charon.plugins.imc-attestation.aik_key " []" -AIK public key file. - -.TP -.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]" -Enforce mandatory Diffie\-Hellman groups. - -.TP -.BR charon.plugins.imc-attestation.nonce_len " [20]" -DH nonce length. - -.TP -.BR charon.plugins.imc-attestation.pcr17_after " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr17_before " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr17_meas " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr18_after " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr18_before " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr18_meas " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr_info " [yes]" -Whether to send pcr_before and pcr_after info. - -.TP -.BR charon.plugins.imc-attestation.use_quote2 " [yes]" -Use Quote2 AIK signature instead of Quote signature. - -.TP -.BR charon.plugins.imc-os.push_info " [yes]" -Send operating system info without being prompted. - -.TP -.BR charon.plugins.imc-scanner.push_info " [yes]" -Send open listening ports without being prompted. - -.TP -.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]" -Directory where SWID tags are located. - -.TP -.BR charon.plugins.imc-test.additional_ids " [0]" -Number of additional IMC IDs. - -.TP -.BR charon.plugins.imc-test.command " [none]" -Command to be sent to the Test IMV. - -.TP -.BR charon.plugins.imc-test.dummy_size " [0]" -Size of dummy attribute to be sent to the Test IMV (0 = disabled). - -.TP -.BR charon.plugins.imc-test.retry " [no]" -Do a handshake retry. - -.TP -.BR charon.plugins.imc-test.retry_command " []" -Command to be sent to the Test IMV in the handshake retry. - -.TP -.BR charon.plugins.imv-attestation.cadir " []" -Path to directory with AIK cacerts. - -.TP -.BR charon.plugins.imv-attestation.dh_group " [ecp256]" -Preferred Diffie\-Hellman group. - -.TP -.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]" -Preferred measurement hash algorithm. - -.TP -.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]" -Enforce mandatory Diffie\-Hellman groups. - -.TP -.BR charon.plugins.imv-attestation.min_nonce_len " [0]" -DH minimum nonce length. - -.TP -.BR charon.plugins.imv-os.remediation_uri " []" -URI pointing to operating system remediation instructions. - -.TP -.BR charon.plugins.imv-scanner.remediation_uri " []" -URI pointing to scanner remediation instructions. - -.TP -.BR charon.plugins.imv-test.rounds " [0]" -Number of IMC\-IMV retry rounds. - -.TP .BR charon.plugins.ipseckey.enable " [no]" Enable fetching of IPSECKEY RRs via DNS. .TP -.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" -Number of ipsecN devices. - -.TP -.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" -Set MTU of ipsecN device. - -.TP .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" Allow that the remote traffic selector equals the IKE peer. The route installed for such traffic (via TUN device) usually prevents further IKE traffic. The @@ -928,6 +830,11 @@ Directory to load (intermediate) CA certificates from. Seconds to start CHILD_SA rekeying after setup. .TP +.BR charon.plugins.load-tester.crl " []" +URI to a CRL to include as certificate distribution point in generated +certificates. + +.TP .BR charon.plugins.load-tester.delay " [0]" Delay between initiatons for each thread. @@ -1360,6 +1267,10 @@ Config or IKEv2 Config Payloads (if enabled they can't be handled by other plugins, like resolve) .TP +.BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]" +Socket the vici plugin serves clients. + +.TP .BR charon.plugins.whitelist.enable " [yes]" Enable loaded whitelist plugin. @@ -1397,6 +1308,11 @@ otherwise a random port will be allocated. .TP +.BR charon.prefer_temporary_addrs " [no]" +By default public IPv6 addresses are preferred over temporary ones (RFC 4941), +to make connections more stable. Enable this option to reverse this. + +.TP .BR charon.process_route " [yes]" Process RTM_NEWROUTE and RTM_DELROUTE events. @@ -1480,6 +1396,18 @@ Specific IKEv2 message type to delay, 0 for any. Send strongSwan vendor ID payload .TP +.B charon.start-scripts +.br +Section containing a list of scripts (name = path) that are executed when the +daemon is started. + +.TP +.B charon.stop-scripts +.br +Section containing a list of scripts (name = path) that are executed when the +daemon is terminated. + +.TP .B charon.syslog .br Section to define syslog loggers, see LOGGER CONFIGURATION in @@ -1567,6 +1495,156 @@ Plugins to load in IMC/IMVs with stand\-alone library. .TP +.BR libimcv.plugins.imc-attestation.aik_blob " []" +AIK encrypted private key blob file. + +.TP +.BR libimcv.plugins.imc-attestation.aik_cert " []" +AIK certificate file. + +.TP +.BR libimcv.plugins.imc-attestation.aik_pubkey " []" +AIK public key file. + +.TP +.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP +.BR libimcv.plugins.imc-attestation.nonce_len " [20]" +DH nonce length. + +.TP +.BR libimcv.plugins.imc-attestation.pcr17_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr17_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr17_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr18_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr18_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr18_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr_info " [no]" +Whether to send pcr_before and pcr_after info. + +.TP +.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" +Use Quote2 AIK signature instead of Quote signature. + +.TP +.BR libimcv.plugins.imc-os.device_cert " []" +Manually set the path to the client device certificate (e.g. +/etc/pts/aikCert.der) + +.TP +.BR libimcv.plugins.imc-os.device_id " []" +Manually set the client device ID in hexadecimal format (e.g. +1083f03988c9762703b1c1080c2e46f72b99cc31) + +.TP +.BR libimcv.plugins.imc-os.device_pubkey " []" +Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der) + +.TP +.BR libimcv.plugins.imc-os.push_info " [yes]" +Send operating system info without being prompted. + +.TP +.BR libimcv.plugins.imc-scanner.push_info " [yes]" +Send open listening ports without being prompted. + +.TP +.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]" +Directory where SWID tags are located. + +.TP +.BR libimcv.plugins.imc-swid.swid_full " [FALSE]" +Include file information in the XML\-encoded SWID tags. + +.TP +.BR libimcv.plugins.imc-swid.swid_generator " [/usr/local/bin/swid_generator]" +SWID generator command to be executed. + +.TP +.BR libimcv.plugins.imc-swid.swid_pretty " [FALSE]" +Generate XML\-encoded SWID tags with pretty indentation. + +.TP +.BR libimcv.plugins.imc-test.additional_ids " [0]" +Number of additional IMC IDs. + +.TP +.BR libimcv.plugins.imc-test.command " [none]" +Command to be sent to the Test IMV. + +.TP +.BR libimcv.plugins.imc-test.dummy_size " [0]" +Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +.TP +.BR libimcv.plugins.imc-test.retry " [no]" +Do a handshake retry. + +.TP +.BR libimcv.plugins.imc-test.retry_command " []" +Command to be sent to the Test IMV in the handshake retry. + +.TP +.BR libimcv.plugins.imv-attestation.cadir " []" +Path to directory with AIK cacerts. + +.TP +.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" +Preferred Diffie\-Hellman group. + +.TP +.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" +Preferred measurement hash algorithm. + +.TP +.BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP +.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" +DH minimum nonce length. + +.TP +.BR libimcv.plugins.imv-os.remediation_uri " []" +URI pointing to operating system remediation instructions. + +.TP +.BR libimcv.plugins.imv-scanner.remediation_uri " []" +URI pointing to scanner remediation instructions. + +.TP +.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]" +Timeout of SWID REST API HTTP POST transaction. + +.TP +.BR libimcv.plugins.imv-swid.rest_api_uri " []" +HTTP URI of the SWID REST API. + +.TP +.BR libimcv.plugins.imv-test.rounds " [0]" +Number of IMC\-IMV retry rounds. + +.TP .BR libimcv.stderr_quiet " [no]" Disable output to stderr with a stand\-alone .RI "" "libimcv" "" @@ -1670,3 +1748,7 @@ Plugins to load in starter. .BR starter.load_warning " [yes]" Disable charon plugin load option warning. +.TP +.BR swanctl.load " []" +Plugins to load in swanctl. + |