11 files changed, 174 insertions, 24 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index b7edaa8ee..4588b0999 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -9,9 +9,11 @@ pluginstemplatedir = $(templatesdir)/plugins
 
 options = \
 	options/aikgen.opt \
+	options/aikpub2.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-nm.opt \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index 6804d91e0..e6d66a25a 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -305,7 +305,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -339,8 +338,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -394,6 +391,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -408,9 +407,11 @@ optionstemplatedir = $(templatesdir)/strongswan.d
 pluginstemplatedir = $(templatesdir)/plugins
 options = \
 	options/aikgen.opt \
+	options/aikpub2.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-nm.opt \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf
new file mode 100644
index 000000000..fd48f2c7a
--- /dev/null
+++ b/conf/options/aikpub2.conf
@@ -0,0 +1,7 @@
+aikpub2 {
+
+    # Plugins to load in aikpub2 tool.
+    # load =
+
+}
+
diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt
new file mode 100644
index 000000000..6a755d211
--- /dev/null
+++ b/conf/options/aikpub2.opt
@@ -0,0 +1,2 @@
+aikpub2.load =
+	Plugins to load in aikpub2 tool.
diff --git a/conf/options/charon-nm.conf b/conf/options/charon-nm.conf
new file mode 100644
index 000000000..85d64480d
--- /dev/null
+++ b/conf/options/charon-nm.conf
@@ -0,0 +1,8 @@
+charon-nm {
+
+    # Directory from which to load CA certificates if no certificate is
+    # configured.
+    # ca_dir = <default>
+
+}
+
diff --git a/conf/options/charon-nm.opt b/conf/options/charon-nm.opt
new file mode 100644
index 000000000..6372934bd
--- /dev/null
+++ b/conf/options/charon-nm.opt
@@ -0,0 +1,3 @@
+charon-nm.ca_dir = <default>
+	Directory from which to load CA certificates if no certificate is
+	configured.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 78411250e..f72041e6a 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -7,6 +7,12 @@ charon {
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
+    # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+    # be saved under a unique file name derived from the public key of the
+    # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+    # /etc/swanctl/x509crl (vici), respectively.
+    # cache_crls = no
+
     # Whether relations in validated certificate chains should be cached in
     # memory.
     # cert_cache = yes
@@ -51,10 +57,11 @@ charon {
     # follow_redirects = yes
 
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-    # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-    # address family specific        default values). If specified this limit is
-    # used for both IPv4 and IPv6.
-    # fragment_size = 0
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+    # to 1280 (use 0 for address family specific default values, which uses a
+    # lower value for IPv4).  If specified this limit is used for both IPv4 and
+    # IPv6.
+    # fragment_size = 1280
 
     # Name of the group the daemon changes to after startup.
     # group =
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 3970012d2..6e0b37c57 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -30,6 +30,12 @@ charon.cert_cache = yes
 	Whether relations in validated certificate chains should be cached in
 	memory.
 
+charon.cache_crls = no
+	Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+	be saved under a unique file name derived from the public key of the
+	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+	**/etc/swanctl/x509crl** (vici), respectively.
+
 charon.cisco_unity = no
 	Send Cisco Unity vendor ID payload (IKEv1 only).
 
@@ -100,11 +106,12 @@ charon.flush_auth_cfg = no
 charon.follow_redirects = yes
 	Whether to follow IKEv2 redirects (RFC 5685).
 
-charon.fragment_size = 0
+charon.fragment_size = 1280
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-	address family specific	default values). If specified this limit is used
-	for both IPv4 and IPv6.
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+	to 1280 (use 0 for address family specific default values, which uses a
+	lower value for IPv4).  If specified this limit is used for both IPv4 and
+	IPv6.
 
 charon.group
 	Name of the group the daemon changes to after startup.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 3997dc7d9..47f7d58bc 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -46,8 +46,33 @@ kernel-netlink {
     # Netlink message retransmission timeout, 0 to disable retransmissions.
     # timeout = 0
 
-    # Lifetime of XFRM acquire state in kernel.
+    # Lifetime of XFRM acquire state and allocated SPIs in kernel.
     # xfrm_acq_expires = 165
 
+    # XFRM policy hashing threshold configuration for IPv4 and IPv6.
+    spdh_thresh {
+
+        ipv4 {
+
+            # Local subnet XFRM policy hashing threshold for IPv4.
+            # lbits = 32
+
+            # Remote subnet XFRM policy hashing threshold for IPv4.
+            # rbits = 32
+
+        }
+
+        ipv6 {
+
+            # Local subnet XFRM policy hashing threshold for IPv6.
+            # lbits = 128
+
+            # Remote subnet XFRM policy hashing threshold for IPv6.
+            # rbits = 128
+
+        }
+
+    }
+
 }
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 6adefd8de..77ba6ea97 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -51,6 +51,35 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
 	traffic, it also prevents the use of a single IPsec SA by more than one
 	traffic selector.
 
+charon.plugins.kernel-netlink.spdh_thresh {}
+	XFRM policy hashing threshold configuration for IPv4 and IPv6.
+
+	XFRM policy hashing threshold configuration for IPv4 and IPv6.
+
+	The section defines hashing thresholds to configure in the kernel during
+	daemon startup. Each address family takes a threshold for the local subnet
+	of an IPsec policy (src in out-policies, dst in in- and forward-policies)
+	and the remote subnet (dst in out-policies, src in in- and
+	forward-policies).
+
+	If the subnet has more or equal net bits than the threshold, the first
+	threshold bits are used to calculate a hash to lookup the policy.
+
+	Policy hashing thresholds are not supported before Linux 3.18 and might
+	conflict with socket policies before Linux 4.8.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32
+	Local subnet XFRM policy hashing threshold for IPv4.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32
+	Remote subnet XFRM policy hashing threshold for IPv4.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128
+	Local subnet XFRM policy hashing threshold for IPv6.
+
+charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128
+	Remote subnet XFRM policy hashing threshold for IPv6.
+
 charon.plugins.kernel-netlink.retries = 0
 	Number of Netlink message retransmissions to send on timeout.
 
@@ -61,8 +90,12 @@ charon.plugins.kernel-netlink.ignore_retransmit_errors = no
 	Whether to ignore errors potentially resulting from a retransmission.
 
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
-	Lifetime of XFRM acquire state in kernel.
-
-	Lifetime of XFRM acquire state in kernel. The value gets written to
-	/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
-	acquire messages sent.
+	Lifetime of XFRM acquire state and allocated SPIs in kernel.
+
+	Lifetime of XFRM acquire state created by the kernel when traffic matches a
+	trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
+	Indirectly controls the delay between XFRM acquire messages triggered by the
+	kernel for a trap policy. The same value is used as timeout for SPIs
+	allocated by the kernel. The default value equals the default total
+	retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION
+	in **strongswan.conf**(5).
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 3d03f2058..c0ecbb7ce 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -3,6 +3,10 @@
 Plugins to load in ipsec aikgen tool.
 
 .TP
+.BR aikpub2.load " []"
+Plugins to load in aikpub2 tool.
+
+.TP
 .BR attest.database " []"
 File measurement information database URI. If it contains a password, make sure
 to adjust the permissions of the config file accordingly.
@@ -50,6 +54,16 @@ SonicWall boxes).
 Maximum number of half\-open IKE_SAs for a single peer IP.
 
 .TP
+.BR charon.cache_crls " [no]"
+Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
+saved under a unique file name derived from the public key of the Certification
+Authority (CA) to
+.RB "" "/etc/ipsec.d/crls" ""
+(stroke) or
+.RB "" "/etc/swanctl/x509crl" ""
+(vici), respectively.
+
+.TP
 .BR charon.cert_cache " [yes]"
 Whether relations in validated certificate chains should be cached in memory.
 
@@ -188,11 +202,11 @@ conflict with plugins that later need access to e.g. the used certificates.
 Whether to follow IKEv2 redirects (RFC 5685).
 
 .TP
-.BR charon.fragment_size " [0]"
+.BR charon.fragment_size " [1280]"
 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
-using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address
-family specific        default values). If specified this limit is used for both
-IPv4 and IPv6.
+using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280
+(use 0 for address family specific default values, which uses a lower value for
+IPv4).  If specified this limit is used for both IPv4 and IPv6.
 
 .TP
 .BR charon.group " []"
@@ -962,14 +976,51 @@ IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
 it also prevents the use of a single IPsec SA by more than one traffic selector.
 
 .TP
+.B charon.plugins.kernel-netlink.spdh_thresh
+.br
+XFRM policy hashing threshold configuration for IPv4 and IPv6.
+
+The section defines hashing thresholds to configure in the kernel during daemon
+startup. Each address family takes a threshold for the local subnet of an IPsec
+policy (src in out\-policies, dst in in\- and forward\-policies) and the remote
+subnet (dst in out\-policies, src in in\- and forward\-policies).
+
+If the subnet has more or equal net bits than the threshold, the first threshold
+bits are used to calculate a hash to lookup the policy.
+
+Policy hashing thresholds are not supported before Linux 3.18 and might conflict
+with socket policies before Linux 4.8.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits " [32]"
+Local subnet XFRM policy hashing threshold for IPv4.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits " [32]"
+Remote subnet XFRM policy hashing threshold for IPv4.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits " [128]"
+Local subnet XFRM policy hashing threshold for IPv6.
+
+.TP
+.BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits " [128]"
+Remote subnet XFRM policy hashing threshold for IPv6.
+
+.TP
 .BR charon.plugins.kernel-netlink.timeout " [0]"
 Netlink message retransmission timeout, 0 to disable retransmissions.
 
 .TP
 .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
-Lifetime of XFRM acquire state in kernel. The value gets written to
-/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
-acquire messages sent.
+Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
+policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
+Indirectly controls the delay between XFRM acquire messages triggered by the
+kernel for a trap policy. The same value is used as timeout for SPIs allocated
+by the kernel. The default value equals the default total retransmission timeout
+for IKE messages, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
 
 .TP
 .BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
@@ -1731,6 +1782,10 @@ Name of the user the daemon changes to after startup.
 Discard certificates with unsupported or unknown critical extensions.
 
 .TP
+.BR charon-nm.ca_dir " [<default>]"
+Directory from which to load CA certificates if no certificate is configured.
+
+.TP
 .B charon-systemd.journal
 .br
 Section to configure native systemd journal logger, very similar to the syslog