From 15fb7904f4431a6e7c305fd08732458f7f885e7e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 11 Mar 2014 20:48:48 +0100 Subject: Imported Upstream version 5.1.2 --- Android.common.mk | 2 +- Android.mk | 3 +- Doxyfile.in | 2 +- Makefile.am | 17 +- Makefile.in | 32 +- NEWS | 46 + aclocal.m4 | 272 +++ conf/Makefile.am | 163 ++ conf/Makefile.in | 873 +++++++++ conf/default.conf | 8 + conf/default.opt | 3 + conf/format-options.py | 337 ++++ conf/options/attest.conf | 11 + conf/options/attest.opt | 6 + conf/options/charon-logging.conf | 62 + conf/options/charon-logging.opt | 57 + conf/options/charon.conf | 281 +++ conf/options/charon.opt | 284 +++ conf/options/imcv.conf | 43 + conf/options/imcv.opt | 28 + conf/options/manager.conf | 23 + conf/options/manager.opt | 18 + conf/options/medsrv.conf | 32 + conf/options/medsrv.opt | 27 + conf/options/pacman.conf | 12 + conf/options/pacman.opt | 7 + conf/options/pool.conf | 12 + conf/options/pool.opt | 7 + conf/options/starter.conf | 10 + conf/options/starter.opt | 5 + conf/options/tnc.conf | 11 + conf/options/tnc.opt | 2 + conf/options/tools.conf | 21 + conf/options/tools.opt | 8 + conf/plugins/android_log.conf | 11 + conf/plugins/android_log.opt | 2 + conf/plugins/attr-sql.conf | 16 + conf/plugins/attr-sql.opt | 6 + conf/plugins/attr.conf | 14 + conf/plugins/attr.opt | 14 + conf/plugins/certexpire.conf | 38 + conf/plugins/certexpire.opt | 25 + conf/plugins/coupling.conf | 17 + conf/plugins/coupling.opt | 8 + conf/plugins/dhcp.conf | 20 + conf/plugins/dhcp.opt | 22 + conf/plugins/dnscert.conf | 11 + conf/plugins/dnscert.opt | 2 + conf/plugins/duplicheck.conf | 14 + conf/plugins/duplicheck.opt | 5 + conf/plugins/eap-aka-3ggp2.conf | 10 + conf/plugins/eap-aka-3ggp2.opt | 1 + conf/plugins/eap-aka.conf | 10 + conf/plugins/eap-aka.opt | 1 + conf/plugins/eap-dynamic.conf | 14 + conf/plugins/eap-dynamic.opt | 13 + conf/plugins/eap-gtc.conf | 11 + conf/plugins/eap-gtc.opt | 2 + conf/plugins/eap-peap.conf | 30 + conf/plugins/eap-peap.opt | 20 + conf/plugins/eap-radius.conf | 86 + conf/plugins/eap-radius.opt | 105 + conf/plugins/eap-sim.conf | 10 + conf/plugins/eap-sim.opt | 1 + conf/plugins/eap-simaka-sql.conf | 12 + conf/plugins/eap-simaka-sql.opt | 3 + conf/plugins/eap-tls.conf | 17 + conf/plugins/eap-tls.opt | 8 + conf/plugins/eap-tnc.conf | 15 + conf/plugins/eap-tnc.opt | 6 + conf/plugins/eap-ttls.conf | 30 + conf/plugins/eap-ttls.opt | 20 + conf/plugins/error-notify.conf | 11 + conf/plugins/error-notify.opt | 2 + conf/plugins/gcrypt.conf | 11 + conf/plugins/gcrypt.opt | 2 + conf/plugins/ha.conf | 32 + conf/plugins/ha.opt | 23 + conf/plugins/imc-attestation.conf | 26 + conf/plugins/imc-attestation.opt | 17 + conf/plugins/imc-os.conf | 11 + conf/plugins/imc-os.opt | 2 + conf/plugins/imc-scanner.conf | 11 + conf/plugins/imc-scanner.opt | 2 + conf/plugins/imc-swid.conf | 11 + conf/plugins/imc-swid.opt | 2 + conf/plugins/imc-test.conf | 23 + conf/plugins/imc-test.opt | 14 + conf/plugins/imv-attestation.conf | 42 + conf/plugins/imv-attestation.opt | 29 + conf/plugins/imv-os.conf | 11 + conf/plugins/imv-os.opt | 2 + conf/plugins/imv-scanner.conf | 11 + conf/plugins/imv-scanner.opt | 2 + conf/plugins/imv-test.conf | 11 + conf/plugins/imv-test.opt | 2 + conf/plugins/ipseckey.conf | 11 + conf/plugins/ipseckey.opt | 2 + conf/plugins/kernel-klips.conf | 14 + conf/plugins/kernel-klips.opt | 5 + conf/plugins/kernel-libipsec.conf | 11 + conf/plugins/kernel-libipsec.opt | 7 + conf/plugins/kernel-netlink.conf | 19 + conf/plugins/kernel-netlink.opt | 18 + conf/plugins/kernel-pfroute.conf | 12 + conf/plugins/kernel-pfroute.opt | 3 + conf/plugins/led.conf | 12 + conf/plugins/led.opt | 3 + conf/plugins/load-tester.conf | 138 ++ conf/plugins/load-tester.opt | 128 ++ conf/plugins/lookip.conf | 11 + conf/plugins/lookip.opt | 2 + conf/plugins/ntru.conf | 17 + conf/plugins/ntru.opt | 8 + conf/plugins/openssl.conf | 14 + conf/plugins/openssl.opt | 5 + conf/plugins/pkcs11.conf | 37 + conf/plugins/pkcs11.opt | 26 + conf/plugins/radattr.conf | 15 + conf/plugins/radattr.opt | 9 + conf/plugins/random.conf | 18 + conf/plugins/random.opt | 9 + conf/plugins/resolve.conf | 18 + conf/plugins/resolve.opt | 11 + conf/plugins/socket-default.conf | 20 + conf/plugins/socket-default.opt | 11 + conf/plugins/sql.conf | 15 + conf/plugins/sql.opt | 6 + conf/plugins/stroke.conf | 24 + conf/plugins/stroke.opt | 15 + conf/plugins/systime-fix.conf | 22 + conf/plugins/systime-fix.opt | 12 + conf/plugins/tnc-ifmap.conf | 30 + conf/plugins/tnc-ifmap.opt | 21 + conf/plugins/tnc-imc.conf | 14 + conf/plugins/tnc-imc.opt | 5 + conf/plugins/tnc-imv.conf | 14 + conf/plugins/tnc-imv.opt | 5 + conf/plugins/tnc-pdp.conf | 41 + conf/plugins/tnc-pdp.opt | 24 + conf/plugins/tnccs-11.conf | 11 + conf/plugins/tnccs-11.opt | 2 + conf/plugins/tnccs-20.conf | 14 + conf/plugins/tnccs-20.opt | 5 + conf/plugins/unbound.conf | 17 + conf/plugins/unbound.opt | 17 + conf/plugins/updown.conf | 12 + conf/plugins/updown.opt | 7 + conf/plugins/whitelist.conf | 14 + conf/plugins/whitelist.opt | 6 + conf/plugins/xauth-eap.conf | 11 + conf/plugins/xauth-eap.opt | 2 + conf/plugins/xauth-pam.conf | 18 + conf/plugins/xauth-pam.opt | 9 + conf/strongswan.conf | 14 + conf/strongswan.conf.5.head.in | 127 ++ conf/strongswan.conf.5.main | 1664 ++++++++++++++++ conf/strongswan.conf.5.tail.in | 470 +++++ config.h.in | 17 +- configure | 548 ++++-- configure.ac | 102 +- init/Makefile.in | 12 +- init/systemd/Makefile.in | 12 +- man/Makefile.am | 3 +- man/Makefile.in | 22 +- man/ipsec.conf.5.in | 4 +- man/strongswan.conf.5.in | 1745 ----------------- scripts/Makefile.in | 12 +- scripts/aes-test.c | 4 +- scripts/crypt_burn.c | 2 +- scripts/dh_speed.c | 2 +- scripts/dnssec.c | 2 +- scripts/fetch.c | 2 +- scripts/hash_burn.c | 2 +- scripts/key2keyid.c | 2 +- scripts/keyid2sql.c | 2 +- scripts/malloc_speed.c | 2 +- scripts/pubkey_speed.c | 2 +- scripts/tls_test.c | 2 +- src/Makefile.am | 16 +- src/Makefile.in | 47 +- src/_copyright/Makefile.in | 12 +- src/_copyright/_copyright.c | 14 +- src/_updown/Makefile.in | 12 +- src/_updown/_updown.in | 34 + src/_updown_espmark/Makefile.in | 12 +- src/charon-cmd/Makefile.in | 12 +- src/charon-cmd/charon-cmd.8.in | 18 + src/charon-cmd/charon-cmd.c | 7 +- src/charon-cmd/cmd/cmd_connection.c | 97 +- src/charon-cmd/cmd/cmd_options.c | 6 + src/charon-cmd/cmd/cmd_options.h | 3 + src/charon-nm/Makefile.in | 12 +- src/charon-nm/charon-nm.c | 6 +- src/charon-nm/nm/nm_backend.c | 12 - src/charon-nm/nm/nm_service.c | 16 +- src/charon-tkm/Makefile.am | 40 +- src/charon-tkm/Makefile.in | 52 +- src/charon-tkm/build_common.gpr | 2 +- src/charon-tkm/build_tests.gpr | 6 +- src/charon-tkm/src/charon-tkm.c | 17 +- src/charon-tkm/src/tkm/tkm.c | 4 +- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 108 +- src/charon-tkm/src/tkm/tkm_diffie_hellman.h | 13 + src/charon-tkm/src/tkm/tkm_id_manager.c | 1 - src/charon-tkm/tests/chunk_map_tests.c | 17 +- src/charon-tkm/tests/diffie_hellman_tests.c | 18 +- src/charon-tkm/tests/id_manager_tests.c | 20 +- src/charon-tkm/tests/kernel_sad_tests.c | 23 +- src/charon-tkm/tests/keymat_tests.c | 18 +- src/charon-tkm/tests/nonceg_tests.c | 21 +- src/charon-tkm/tests/test_runner.c | 84 - src/charon-tkm/tests/test_runner.h | 30 - src/charon-tkm/tests/tests.c | 114 ++ src/charon-tkm/tests/tests.h | 23 + src/charon-tkm/tests/utils_tests.c | 15 +- src/charon/Android.mk | 1 - src/charon/Makefile.in | 12 +- src/charon/charon.c | 6 +- src/checksum/Makefile.am | 19 +- src/checksum/Makefile.in | 79 +- src/checksum/checksum_builder.c | 5 +- src/conftest/Makefile.in | 12 +- src/conftest/conftest.c | 8 +- src/dumm/Makefile.in | 12 +- src/dumm/cowfs.h | 2 +- src/dumm/ext/dumm.c | 2 +- src/dumm/main.c | 2 +- src/include/Makefile.in | 12 +- src/ipsec/Makefile.in | 12 +- src/ipsec/_ipsec.8 | 2 +- src/libcharon/Android.mk | 1 - src/libcharon/Makefile.in | 12 +- src/libcharon/config/ike_cfg.c | 6 +- src/libcharon/config/proposal.c | 4 + src/libcharon/daemon.c | 36 +- src/libcharon/daemon.h | 10 +- src/libcharon/encoding/payloads/notify_payload.c | 14 +- src/libcharon/encoding/payloads/notify_payload.h | 2 + src/libcharon/network/receiver.c | 20 +- src/libcharon/network/sender.c | 8 +- src/libcharon/plugins/addrblock/Makefile.in | 12 +- src/libcharon/plugins/android_dns/Makefile.in | 12 +- src/libcharon/plugins/android_log/Makefile.in | 12 +- .../plugins/android_log/android_log_logger.c | 2 +- src/libcharon/plugins/certexpire/Makefile.in | 12 +- .../plugins/certexpire/certexpire_export.c | 30 +- src/libcharon/plugins/coupling/Makefile.in | 12 +- .../plugins/coupling/coupling_validator.c | 8 +- src/libcharon/plugins/dhcp/Makefile.in | 12 +- src/libcharon/plugins/dhcp/dhcp_socket.c | 40 +- src/libcharon/plugins/dnscert/Makefile.in | 12 +- src/libcharon/plugins/dnscert/dnscert_plugin.c | 2 +- src/libcharon/plugins/duplicheck/Makefile.in | 12 +- .../plugins/duplicheck/duplicheck_notify.c | 2 +- .../plugins/duplicheck/duplicheck_plugin.c | 2 +- src/libcharon/plugins/eap_aka/Makefile.in | 12 +- src/libcharon/plugins/eap_aka/eap_aka_server.c | 2 +- src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 12 +- .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c | 2 +- src/libcharon/plugins/eap_dynamic/Makefile.in | 12 +- src/libcharon/plugins/eap_dynamic/eap_dynamic.c | 4 +- src/libcharon/plugins/eap_gtc/Makefile.in | 12 +- src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- src/libcharon/plugins/eap_identity/Makefile.in | 12 +- src/libcharon/plugins/eap_md5/Makefile.in | 12 +- src/libcharon/plugins/eap_mschapv2/Makefile.in | 12 +- src/libcharon/plugins/eap_peap/Makefile.in | 12 +- src/libcharon/plugins/eap_peap/eap_peap.c | 8 +- src/libcharon/plugins/eap_peap/eap_peap_server.c | 8 +- src/libcharon/plugins/eap_radius/Makefile.in | 12 +- src/libcharon/plugins/eap_radius/eap_radius.c | 10 +- .../plugins/eap_radius/eap_radius_accounting.c | 6 +- src/libcharon/plugins/eap_radius/eap_radius_dae.c | 10 +- .../plugins/eap_radius/eap_radius_forward.c | 4 +- .../plugins/eap_radius/eap_radius_plugin.c | 34 +- .../plugins/eap_radius/eap_radius_xauth.c | 2 +- src/libcharon/plugins/eap_sim/Makefile.in | 12 +- src/libcharon/plugins/eap_sim/eap_sim_server.c | 2 +- src/libcharon/plugins/eap_sim_file/Makefile.in | 12 +- src/libcharon/plugins/eap_sim_pcsc/Makefile.in | 12 +- .../plugins/eap_simaka_pseudonym/Makefile.in | 12 +- .../plugins/eap_simaka_reauth/Makefile.in | 12 +- src/libcharon/plugins/eap_simaka_sql/Makefile.in | 12 +- .../plugins/eap_simaka_sql/eap_simaka_sql_plugin.c | 4 +- src/libcharon/plugins/eap_tls/Makefile.in | 12 +- src/libcharon/plugins/eap_tls/eap_tls.c | 6 +- src/libcharon/plugins/eap_tnc/Makefile.in | 12 +- src/libcharon/plugins/eap_tnc/eap_tnc.c | 6 +- src/libcharon/plugins/eap_ttls/Makefile.in | 12 +- src/libcharon/plugins/eap_ttls/eap_ttls.c | 8 +- src/libcharon/plugins/eap_ttls/eap_ttls_server.c | 8 +- src/libcharon/plugins/error_notify/Makefile.in | 12 +- .../plugins/error_notify/error_notify_socket.c | 2 +- src/libcharon/plugins/farp/Makefile.in | 12 +- src/libcharon/plugins/ha/Makefile.in | 12 +- src/libcharon/plugins/ha/ha_attribute.c | 2 +- src/libcharon/plugins/ha/ha_plugin.c | 14 +- src/libcharon/plugins/ha/ha_segments.c | 6 +- src/libcharon/plugins/ipseckey/Makefile.in | 12 +- src/libcharon/plugins/ipseckey/ipseckey_plugin.c | 2 +- src/libcharon/plugins/kernel_libipsec/Makefile.in | 12 +- .../kernel_libipsec/kernel_libipsec_ipsec.c | 2 +- .../kernel_libipsec/kernel_libipsec_plugin.c | 2 +- src/libcharon/plugins/led/Makefile.in | 12 +- src/libcharon/plugins/led/led_listener.c | 6 +- src/libcharon/plugins/load_tester/Makefile.in | 12 +- .../plugins/load_tester/load_tester_config.c | 57 +- .../plugins/load_tester/load_tester_control.c | 2 +- .../plugins/load_tester/load_tester_creds.c | 12 +- .../plugins/load_tester/load_tester_listener.c | 2 +- .../plugins/load_tester/load_tester_plugin.c | 16 +- src/libcharon/plugins/lookip/Makefile.in | 12 +- src/libcharon/plugins/lookip/lookip_socket.c | 39 +- src/libcharon/plugins/maemo/Makefile.in | 12 +- src/libcharon/plugins/medcli/Makefile.in | 12 +- src/libcharon/plugins/medsrv/Makefile.in | 12 +- src/libcharon/plugins/osx_attr/Makefile.in | 12 +- src/libcharon/plugins/radattr/Makefile.in | 12 +- src/libcharon/plugins/radattr/radattr_listener.c | 52 +- src/libcharon/plugins/smp/Makefile.in | 12 +- src/libcharon/plugins/socket_default/Makefile.in | 12 +- .../plugins/socket_default/socket_default_socket.c | 14 +- src/libcharon/plugins/socket_dynamic/Makefile.in | 12 +- .../plugins/socket_dynamic/socket_dynamic_socket.c | 2 +- src/libcharon/plugins/sql/Makefile.in | 12 +- src/libcharon/plugins/sql/sql_logger.c | 2 +- src/libcharon/plugins/sql/sql_plugin.c | 2 +- src/libcharon/plugins/stroke/Makefile.in | 12 +- src/libcharon/plugins/stroke/stroke_config.c | 2 +- src/libcharon/plugins/stroke/stroke_control.c | 2 +- src/libcharon/plugins/stroke/stroke_cred.c | 53 +- src/libcharon/plugins/stroke/stroke_socket.c | 53 +- src/libcharon/plugins/systime_fix/Makefile.in | 12 +- .../plugins/systime_fix/systime_fix_plugin.c | 8 +- src/libcharon/plugins/tnc_ifmap/Makefile.in | 12 +- .../plugins/tnc_ifmap/tnc_ifmap_listener.c | 4 +- src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c | 14 +- src/libcharon/plugins/tnc_pdp/Makefile.in | 12 +- src/libcharon/plugins/tnc_pdp/tnc_pdp.c | 14 +- .../plugins/tnc_pdp/tnc_pdp_connections.c | 2 +- src/libcharon/plugins/uci/Makefile.in | 12 +- src/libcharon/plugins/unit_tester/Makefile.in | 12 +- src/libcharon/plugins/unity/Makefile.in | 12 +- src/libcharon/plugins/unity/unity_narrow.c | 11 +- src/libcharon/plugins/unity/unity_provider.c | 77 +- src/libcharon/plugins/updown/Makefile.in | 12 +- src/libcharon/plugins/updown/updown_handler.c | 2 +- src/libcharon/plugins/updown/updown_listener.c | 10 +- src/libcharon/plugins/updown/updown_plugin.c | 2 +- src/libcharon/plugins/whitelist/Makefile.in | 12 +- .../plugins/whitelist/whitelist_control.c | 2 +- .../plugins/whitelist/whitelist_listener.c | 2 +- src/libcharon/plugins/xauth_eap/Makefile.in | 12 +- src/libcharon/plugins/xauth_eap/xauth_eap.c | 2 +- src/libcharon/plugins/xauth_generic/Makefile.in | 12 +- src/libcharon/plugins/xauth_noauth/Makefile.in | 12 +- src/libcharon/plugins/xauth_pam/Makefile.am | 1 + src/libcharon/plugins/xauth_pam/Makefile.in | 16 +- src/libcharon/plugins/xauth_pam/xauth_pam.c | 13 +- .../plugins/xauth_pam/xauth_pam_listener.c | 144 ++ .../plugins/xauth_pam/xauth_pam_listener.h | 58 + src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c | 71 +- src/libcharon/processing/jobs/inactivity_job.c | 5 +- src/libcharon/sa/child_sa.c | 13 + src/libcharon/sa/child_sa.h | 7 + src/libcharon/sa/ike_sa.c | 41 +- src/libcharon/sa/ike_sa_manager.c | 8 +- src/libcharon/sa/ikev1/task_manager_v1.c | 19 +- src/libcharon/sa/ikev1/tasks/aggressive_mode.c | 6 +- src/libcharon/sa/ikev1/tasks/isakmp_vendor.c | 4 +- src/libcharon/sa/ikev1/tasks/quick_mode.c | 2 +- src/libcharon/sa/ikev2/keymat_v2.c | 30 +- src/libcharon/sa/ikev2/task_manager_v2.c | 15 +- src/libcharon/sa/ikev2/tasks/child_create.c | 4 +- src/libcharon/sa/ikev2/tasks/ike_auth.c | 2 +- src/libcharon/sa/ikev2/tasks/ike_cert_pre.c | 2 +- src/libcharon/sa/ikev2/tasks/ike_vendor.c | 79 +- src/libcharon/sa/task_manager.h | 5 + src/libcharon/sa/trap_manager.c | 87 +- src/libcharon/sa/xauth/xauth_manager.c | 3 + src/libfast/Makefile.in | 12 +- src/libfast/fast_request.c | 39 +- src/libhydra/Android.mk | 1 - src/libhydra/Makefile.in | 12 +- src/libhydra/attributes/mem_pool.c | 2 +- src/libhydra/hydra.c | 4 +- src/libhydra/hydra.h | 12 +- src/libhydra/kernel/kernel_interface.c | 4 +- src/libhydra/plugins/attr/Makefile.in | 12 +- src/libhydra/plugins/attr/attr_provider.c | 8 +- src/libhydra/plugins/attr_sql/Makefile.in | 12 +- src/libhydra/plugins/attr_sql/attr_sql_plugin.c | 4 +- src/libhydra/plugins/attr_sql/sql_attribute.c | 2 +- src/libhydra/plugins/kernel_klips/Makefile.in | 12 +- .../plugins/kernel_klips/kernel_klips_ipsec.c | 10 +- src/libhydra/plugins/kernel_netlink/Makefile.in | 12 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 22 +- .../plugins/kernel_netlink/kernel_netlink_net.c | 25 +- src/libhydra/plugins/kernel_pfkey/Makefile.in | 12 +- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 4 +- src/libhydra/plugins/kernel_pfroute/Makefile.in | 12 +- .../plugins/kernel_pfroute/kernel_pfroute_net.c | 11 +- src/libhydra/plugins/resolve/Makefile.in | 12 +- src/libhydra/plugins/resolve/resolve_handler.c | 4 +- src/libimcv/Makefile.am | 4 +- src/libimcv/Makefile.in | 65 +- src/libimcv/imcv.c | 11 +- src/libimcv/imv/data.sql | 132 ++ src/libimcv/imv/imv_msg.c | 4 +- src/libimcv/imv/imv_policy_manager.c | 11 +- src/libimcv/imv/imv_reason_string.c | 11 +- src/libimcv/imv/imv_reason_string.h | 3 +- src/libimcv/imv/imv_workitem.c | 5 +- src/libimcv/imv/imv_workitem.h | 3 +- src/libimcv/ita/ita_attr_command.c | 5 +- src/libimcv/ita/ita_attr_get_settings.c | 9 +- src/libimcv/ita/ita_attr_settings.c | 9 +- src/libimcv/os_info/os_info.c | 4 +- src/libimcv/plugins/imc_os/Makefile.in | 12 +- src/libimcv/plugins/imc_os/imc_os.c | 2 +- src/libimcv/plugins/imc_scanner/Makefile.in | 12 +- src/libimcv/plugins/imc_scanner/imc_scanner.c | 2 +- src/libimcv/plugins/imc_test/Makefile.in | 12 +- src/libimcv/plugins/imc_test/imc_test.c | 12 +- src/libimcv/plugins/imv_os/Makefile.in | 12 +- src/libimcv/plugins/imv_os/imv_os_database.c | 5 +- src/libimcv/plugins/imv_os/imv_os_state.c | 4 +- src/libimcv/plugins/imv_os/pacman.c | 4 +- src/libimcv/plugins/imv_os/pacman.sh | 1 + src/libimcv/plugins/imv_scanner/Makefile.in | 12 +- .../plugins/imv_scanner/imv_scanner_state.c | 4 +- src/libimcv/plugins/imv_test/Makefile.in | 12 +- src/libimcv/plugins/imv_test/imv_test_agent.c | 10 +- src/libimcv/plugins/imv_test/imv_test_state.c | 2 +- src/libipsec/Android.mk | 1 - src/libipsec/Makefile.in | 12 +- src/libpts/Makefile.in | 12 +- src/libpts/plugins/imc_attestation/Makefile.in | 12 +- .../imc_attestation/imc_attestation_process.c | 11 +- src/libpts/plugins/imc_swid/Makefile.in | 12 +- src/libpts/plugins/imc_swid/imc_swid.c | 4 +- src/libpts/plugins/imv_attestation/Makefile.in | 12 +- src/libpts/plugins/imv_attestation/attest.c | 13 +- src/libpts/plugins/imv_attestation/attest_db.c | 4 +- src/libpts/plugins/imv_attestation/attest_usage.c | 7 +- .../imv_attestation/imv_attestation_agent.c | 186 +- .../imv_attestation/imv_attestation_build.c | 153 +- .../imv_attestation/imv_attestation_build.h | 5 +- .../imv_attestation/imv_attestation_process.c | 83 +- .../imv_attestation/imv_attestation_state.c | 114 +- .../imv_attestation/imv_attestation_state.h | 35 +- src/libpts/plugins/imv_swid/Makefile.in | 12 +- src/libpts/pts/components/ita/ita_comp_ima.c | 8 +- src/libpts/pts/components/ita/ita_comp_tboot.c | 12 +- src/libpts/pts/pts.c | 8 +- src/libpts/pts/pts_database.c | 62 +- src/libpts/pts/pts_file_meas.c | 3 +- src/libpts/swid/swid_inventory.c | 34 +- src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c | 5 +- src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c | 5 +- .../tcg/pts/tcg_pts_attr_req_func_comp_evid.c | 2 +- src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c | 5 +- src/libpttls/Makefile.in | 12 +- src/libradius/Makefile.in | 12 +- src/libsimaka/Makefile.in | 12 +- src/libstrongswan/Android.mk | 8 +- src/libstrongswan/Makefile.am | 17 +- src/libstrongswan/Makefile.in | 73 +- src/libstrongswan/asn1/asn1.c | 80 +- src/libstrongswan/asn1/asn1.h | 7 + src/libstrongswan/asn1/asn1_parser.c | 1 + src/libstrongswan/asn1/oid.c | 650 ++++--- src/libstrongswan/asn1/oid.h | 328 ++-- src/libstrongswan/asn1/oid.txt | 24 + src/libstrongswan/collections/array.c | 151 +- src/libstrongswan/collections/array.h | 73 +- src/libstrongswan/credentials/credential_manager.c | 2 +- src/libstrongswan/crypto/crypto_factory.c | 6 +- src/libstrongswan/crypto/crypto_tester.c | 8 +- src/libstrongswan/crypto/diffie_hellman.c | 9 +- src/libstrongswan/crypto/diffie_hellman.h | 5 + .../crypto/proposal/proposal_keywords.c | 55 +- .../crypto/proposal/proposal_keywords.h | 13 + .../crypto/proposal/proposal_keywords_static.c | 324 ++-- .../crypto/proposal/proposal_keywords_static.txt | 8 +- src/libstrongswan/fetcher/fetcher_manager.c | 2 +- src/libstrongswan/library.c | 49 +- src/libstrongswan/library.h | 16 +- src/libstrongswan/networking/host_resolver.c | 8 +- src/libstrongswan/networking/streams/stream.c | 17 +- src/libstrongswan/networking/streams/stream.h | 5 +- src/libstrongswan/networking/tun_device.c | 8 +- src/libstrongswan/networking/tun_device.h | 1 - src/libstrongswan/plugins/aes/Makefile.in | 12 +- src/libstrongswan/plugins/af_alg/Makefile.in | 12 +- src/libstrongswan/plugins/agent/Makefile.in | 12 +- src/libstrongswan/plugins/agent/agent_plugin.c | 8 +- .../plugins/agent/agent_private_key.c | 1 - src/libstrongswan/plugins/blowfish/Makefile.in | 12 +- src/libstrongswan/plugins/ccm/Makefile.in | 12 +- src/libstrongswan/plugins/cmac/Makefile.in | 12 +- src/libstrongswan/plugins/constraints/Makefile.in | 12 +- src/libstrongswan/plugins/ctr/Makefile.in | 12 +- src/libstrongswan/plugins/curl/Makefile.in | 12 +- src/libstrongswan/plugins/curl/curl_fetcher.c | 17 +- src/libstrongswan/plugins/des/Makefile.in | 12 +- src/libstrongswan/plugins/dnskey/Makefile.in | 12 +- src/libstrongswan/plugins/fips_prf/Makefile.in | 12 +- src/libstrongswan/plugins/gcm/Makefile.in | 12 +- src/libstrongswan/plugins/gcrypt/Makefile.in | 12 +- src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c | 4 +- src/libstrongswan/plugins/gmp/Makefile.in | 12 +- src/libstrongswan/plugins/hmac/Makefile.in | 12 +- src/libstrongswan/plugins/keychain/Makefile.in | 12 +- src/libstrongswan/plugins/ldap/Makefile.in | 12 +- src/libstrongswan/plugins/md4/Makefile.in | 12 +- src/libstrongswan/plugins/md5/Makefile.in | 12 +- src/libstrongswan/plugins/mysql/Makefile.in | 12 +- src/libstrongswan/plugins/nonce/Makefile.in | 12 +- src/libstrongswan/plugins/ntru/Makefile.am | 33 + src/libstrongswan/plugins/ntru/Makefile.in | 812 ++++++++ .../plugins/ntru/ntru_crypto/ntru_crypto.h | 235 +++ .../ntru/ntru_crypto/ntru_crypto_ntru_convert.c | 581 ++++++ .../ntru/ntru_crypto/ntru_crypto_ntru_convert.h | 183 ++ .../ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c | 1034 ++++++++++ .../ntru_crypto/ntru_crypto_ntru_encrypt_key.c | 360 ++++ .../ntru_crypto/ntru_crypto_ntru_encrypt_key.h | 167 ++ .../ntru_crypto_ntru_encrypt_param_sets.c | 384 ++++ .../ntru_crypto_ntru_encrypt_param_sets.h | 101 + .../ntru/ntru_crypto/ntru_crypto_ntru_poly.c | 242 +++ .../ntru/ntru_crypto/ntru_crypto_ntru_poly.h | 96 + src/libstrongswan/plugins/ntru/ntru_drbg.c | 279 +++ src/libstrongswan/plugins/ntru/ntru_drbg.h | 77 + src/libstrongswan/plugins/ntru/ntru_ke.c | 396 ++++ src/libstrongswan/plugins/ntru/ntru_ke.h | 50 + src/libstrongswan/plugins/ntru/ntru_mgf1.c | 182 ++ src/libstrongswan/plugins/ntru/ntru_mgf1.h | 77 + src/libstrongswan/plugins/ntru/ntru_plugin.c | 83 + src/libstrongswan/plugins/ntru/ntru_plugin.h | 42 + src/libstrongswan/plugins/ntru/ntru_poly.c | 416 ++++ src/libstrongswan/plugins/ntru/ntru_poly.h | 99 + src/libstrongswan/plugins/ntru/ntru_trits.c | 133 ++ src/libstrongswan/plugins/ntru/ntru_trits.h | 61 + src/libstrongswan/plugins/openssl/Makefile.in | 12 +- src/libstrongswan/plugins/openssl/openssl_crl.c | 2 +- .../plugins/openssl/openssl_ec_diffie_hellman.c | 7 +- src/libstrongswan/plugins/openssl/openssl_plugin.c | 2 +- .../plugins/openssl/openssl_rsa_private_key.c | 2 +- src/libstrongswan/plugins/openssl/openssl_x509.c | 2 +- src/libstrongswan/plugins/padlock/Makefile.in | 12 +- src/libstrongswan/plugins/pem/Makefile.in | 12 +- src/libstrongswan/plugins/pem/pem_builder.c | 35 +- src/libstrongswan/plugins/pgp/Makefile.in | 12 +- src/libstrongswan/plugins/pkcs1/Makefile.in | 12 +- src/libstrongswan/plugins/pkcs11/Makefile.in | 12 +- src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 2 +- src/libstrongswan/plugins/pkcs11/pkcs11_manager.c | 8 +- src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c | 18 +- src/libstrongswan/plugins/pkcs12/Makefile.in | 12 +- src/libstrongswan/plugins/pkcs7/Makefile.in | 12 +- src/libstrongswan/plugins/pkcs8/Makefile.in | 12 +- src/libstrongswan/plugins/plugin_loader.c | 158 +- src/libstrongswan/plugins/plugin_loader.h | 18 +- src/libstrongswan/plugins/pubkey/Makefile.in | 12 +- src/libstrongswan/plugins/random/Makefile.in | 12 +- src/libstrongswan/plugins/random/random_plugin.c | 17 +- src/libstrongswan/plugins/random/random_plugin.h | 5 + src/libstrongswan/plugins/random/random_rng.c | 4 + src/libstrongswan/plugins/rc2/Makefile.in | 12 +- src/libstrongswan/plugins/rdrand/Makefile.in | 12 +- src/libstrongswan/plugins/rdrand/rdrand_plugin.c | 16 +- src/libstrongswan/plugins/revocation/Makefile.in | 12 +- src/libstrongswan/plugins/sha1/Makefile.in | 12 +- src/libstrongswan/plugins/sha2/Makefile.in | 12 +- src/libstrongswan/plugins/soup/Makefile.in | 12 +- src/libstrongswan/plugins/sqlite/Makefile.in | 12 +- src/libstrongswan/plugins/sshkey/Makefile.in | 12 +- src/libstrongswan/plugins/sshkey/sshkey_builder.c | 1 + src/libstrongswan/plugins/test_vectors/Makefile.in | 12 +- src/libstrongswan/plugins/unbound/Makefile.in | 12 +- .../plugins/unbound/unbound_resolver.c | 12 +- src/libstrongswan/plugins/x509/Makefile.in | 12 +- src/libstrongswan/plugins/x509/x509_cert.c | 6 +- src/libstrongswan/plugins/x509/x509_crl.c | 2 +- src/libstrongswan/plugins/xcbc/Makefile.in | 12 +- src/libstrongswan/processing/processor.c | 2 +- src/libstrongswan/processing/watcher.c | 2 +- src/libstrongswan/tests/Makefile.am | 67 +- src/libstrongswan/tests/Makefile.in | 1302 +++++++------ src/libstrongswan/tests/suites/test_array.c | 532 +++++ src/libstrongswan/tests/suites/test_asn1.c | 869 +++++++++ src/libstrongswan/tests/suites/test_asn1_parser.c | 291 +++ src/libstrongswan/tests/suites/test_bio_reader.c | 450 +++++ src/libstrongswan/tests/suites/test_bio_writer.c | 392 ++++ src/libstrongswan/tests/suites/test_chunk.c | 1027 ++++++++++ src/libstrongswan/tests/suites/test_crypter.c | 107 + src/libstrongswan/tests/suites/test_ecdsa.c | 243 +++ src/libstrongswan/tests/suites/test_enum.c | 248 +++ src/libstrongswan/tests/suites/test_enumerator.c | 409 ++++ src/libstrongswan/tests/suites/test_fetch_http.c | 273 +++ src/libstrongswan/tests/suites/test_hasher.c | 189 ++ src/libstrongswan/tests/suites/test_hashtable.c | 346 ++++ src/libstrongswan/tests/suites/test_host.c | 651 +++++++ .../tests/suites/test_identification.c | 857 ++++++++ src/libstrongswan/tests/suites/test_linked_list.c | 390 ++++ .../tests/suites/test_linked_list_enumerator.c | 361 ++++ src/libstrongswan/tests/suites/test_ntru.c | 1042 ++++++++++ src/libstrongswan/tests/suites/test_pen.c | 87 + src/libstrongswan/tests/suites/test_printf.c | 228 +++ src/libstrongswan/tests/suites/test_rsa.c | 399 ++++ src/libstrongswan/tests/suites/test_settings.c | 920 +++++++++ src/libstrongswan/tests/suites/test_stream.c | 267 +++ src/libstrongswan/tests/suites/test_test_rng.c | 56 + src/libstrongswan/tests/suites/test_threading.c | 1466 ++++++++++++++ src/libstrongswan/tests/suites/test_utils.c | 743 +++++++ src/libstrongswan/tests/suites/test_vectors.c | 42 + src/libstrongswan/tests/suites/test_watcher.c | 214 ++ src/libstrongswan/tests/test_array.c | 360 ---- src/libstrongswan/tests/test_bio_reader.c | 450 ----- src/libstrongswan/tests/test_bio_writer.c | 392 ---- src/libstrongswan/tests/test_chunk.c | 876 --------- src/libstrongswan/tests/test_ecdsa.c | 237 --- src/libstrongswan/tests/test_enum.c | 248 --- src/libstrongswan/tests/test_enumerator.c | 409 ---- src/libstrongswan/tests/test_hashtable.c | 346 ---- src/libstrongswan/tests/test_host.c | 651 ------- src/libstrongswan/tests/test_identification.c | 857 -------- src/libstrongswan/tests/test_linked_list.c | 386 ---- .../tests/test_linked_list_enumerator.c | 361 ---- src/libstrongswan/tests/test_printf.c | 185 -- src/libstrongswan/tests/test_rsa.c | 393 ---- src/libstrongswan/tests/test_runner.c | 500 ++++- src/libstrongswan/tests/test_runner.h | 84 +- src/libstrongswan/tests/test_suite.c | 277 +++ src/libstrongswan/tests/test_suite.h | 350 +++- src/libstrongswan/tests/test_threading.c | 110 -- src/libstrongswan/tests/test_utils.c | 556 ------ src/libstrongswan/tests/test_vectors.c | 41 - src/libstrongswan/tests/tests.c | 56 + src/libstrongswan/tests/tests.h | 43 + src/libstrongswan/tests/utils/test_rng.c | 86 + src/libstrongswan/tests/utils/test_rng.h | 36 + src/libstrongswan/threading/thread.h | 9 +- src/libstrongswan/utils/backtrace.c | 4 +- src/libstrongswan/utils/backtrace.h | 4 +- src/libstrongswan/utils/capabilities.h | 3 + src/libstrongswan/utils/chunk.c | 193 +- src/libstrongswan/utils/chunk.h | 44 +- src/libstrongswan/utils/identification.c | 7 +- src/libstrongswan/utils/integrity_checker.c | 37 +- src/libstrongswan/utils/leak_detective.c | 112 +- src/libstrongswan/utils/leak_detective.h | 52 +- .../utils/printf_hook/printf_hook_builtin.c | 16 +- .../utils/printf_hook/printf_hook_glibc.c | 2 +- src/libstrongswan/utils/settings.c | 486 +++-- src/libstrongswan/utils/settings.h | 25 + src/libstrongswan/utils/test.c | 50 + src/libstrongswan/utils/test.h | 96 + src/libstrongswan/utils/utils.c | 220 ++- src/libstrongswan/utils/utils.h | 70 +- src/libstrongswan/utils/utils/strerror.c | 97 + src/libstrongswan/utils/utils/strerror.h | 40 + src/libtls/Makefile.in | 12 +- src/libtls/tls.c | 1 + src/libtls/tls_crypto.c | 12 +- src/libtnccs/Android.mk | 1 - src/libtnccs/Makefile.in | 12 +- src/libtnccs/plugins/tnc_imc/Makefile.in | 12 +- src/libtnccs/plugins/tnc_imc/tnc_imc.c | 2 +- src/libtnccs/plugins/tnc_imc/tnc_imc_manager.c | 2 +- src/libtnccs/plugins/tnc_imv/Makefile.in | 12 +- src/libtnccs/plugins/tnc_imv/tnc_imv.c | 2 +- src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c | 4 +- src/libtnccs/plugins/tnc_tnccs/Makefile.in | 12 +- src/libtnccs/plugins/tnccs_11/Makefile.in | 12 +- src/libtnccs/plugins/tnccs_11/tnccs_11.c | 2 +- src/libtnccs/plugins/tnccs_20/Makefile.in | 12 +- src/libtnccs/plugins/tnccs_20/tnccs_20.c | 4 +- src/libtnccs/plugins/tnccs_dynamic/Makefile.in | 12 +- src/libtnccs/tnc/tnc.c | 44 +- src/libtncif/Android.mk | 1 - src/libtncif/Makefile.in | 12 +- src/manager/Makefile.in | 12 +- src/manager/main.c | 2 +- src/medsrv/Makefile.in | 12 +- src/medsrv/main.c | 2 +- src/openac/Makefile.in | 12 +- src/openac/openac.c | 12 +- src/pki/Makefile.in | 12 +- src/pki/command.c | 27 +- src/pki/command.h | 6 +- src/pki/commands/issue.c | 16 +- src/pki/commands/keyid.c | 9 +- src/pki/commands/print.c | 7 +- src/pki/commands/pub.c | 9 +- src/pki/commands/req.c | 8 +- src/pki/commands/self.c | 8 +- src/pki/commands/verify.c | 8 +- src/pki/man/Makefile.in | 12 +- src/pki/man/pki---issue.1.in | 2 +- src/pki/pki.c | 2 +- src/pool/Makefile.am | 7 + src/pool/Makefile.in | 128 +- src/pool/mysql.sql | 281 +++ src/pool/pool.c | 13 +- src/pool/sqlite.sql | 283 +++ src/pt-tls-client/Makefile.in | 12 +- src/pt-tls-client/pt-tls-client.c | 2 +- src/scepclient/Makefile.in | 12 +- src/scepclient/scepclient.c | 39 +- src/starter/Android.mk | 1 - src/starter/Makefile.in | 12 +- src/starter/starter.c | 4 +- src/stroke/Android.mk | 1 - src/stroke/Makefile.in | 12 +- src/stroke/stroke.c | 2 +- src/strongswan.conf | 34 - test-driver | 127 -- testing/Makefile.am | 2 +- testing/Makefile.in | 14 +- testing/config/kernel/config-3.12 | 2022 +++++++++++++++++++ testing/config/kernel/config-3.13 | 2047 ++++++++++++++++++++ testing/hosts/default/etc/ipsec.d/tables.sql | 270 --- testing/hosts/default/etc/pts/data.sql | 1060 ---------- testing/hosts/default/etc/pts/tables.sql | 256 --- testing/scripts/build-baseimage | 2 +- testing/scripts/build-guestkernel | 2 +- testing/scripts/recipes/003_freeradius.mk | 2 +- testing/scripts/recipes/010_tkm.mk | 2 +- testing/scripts/recipes/013_strongswan.mk | 4 +- testing/ssh | 37 + testing/testing.conf | 10 +- testing/tests/ikev1/ip-pool-db/pretest.dat | 4 +- .../tests/ikev1/net2net-ntru-cert/description.txt | 7 + testing/tests/ikev1/net2net-ntru-cert/evaltest.dat | 9 + .../net2net-ntru-cert/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/strongswan.conf | 15 + .../net2net-ntru-cert/hosts/sun/etc/ipsec.conf | 25 + .../hosts/sun/etc/strongswan.conf | 7 + testing/tests/ikev1/net2net-ntru-cert/posttest.dat | 5 + testing/tests/ikev1/net2net-ntru-cert/pretest.dat | 6 + testing/tests/ikev1/net2net-ntru-cert/test.conf | 21 + testing/tests/ikev1/rw-ntru-psk/description.txt | 13 + testing/tests/ikev1/rw-ntru-psk/evaltest.dat | 22 + .../ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf | 23 + .../rw-ntru-psk/hosts/carol/etc/ipsec.secrets | 3 + .../rw-ntru-psk/hosts/carol/etc/strongswan.conf | 6 + .../ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf | 23 + .../ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets | 3 + .../rw-ntru-psk/hosts/dave/etc/strongswan.conf | 6 + .../ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf | 32 + .../ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets | 5 + .../rw-ntru-psk/hosts/moon/etc/strongswan.conf | 6 + testing/tests/ikev1/rw-ntru-psk/posttest.dat | 6 + testing/tests/ikev1/rw-ntru-psk/pretest.dat | 13 + testing/tests/ikev1/rw-ntru-psk/test.conf | 21 + testing/tests/ikev2/compress-nat/description.txt | 3 + testing/tests/ikev2/compress-nat/evaltest.dat | 22 + .../ikev2/compress-nat/hosts/alice/etc/ipsec.conf | 24 + .../compress-nat/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/compress-nat/hosts/bob/etc/ipsec.conf | 24 + .../compress-nat/hosts/bob/etc/strongswan.conf | 5 + .../ikev2/compress-nat/hosts/carol/etc/ipsec.conf | 23 + .../compress-nat/hosts/carol/etc/iptables.rules | 24 + .../compress-nat/hosts/carol/etc/strongswan.conf | 5 + testing/tests/ikev2/compress-nat/posttest.dat | 10 + testing/tests/ikev2/compress-nat/pretest.dat | 21 + testing/tests/ikev2/compress-nat/test.conf | 21 + testing/tests/ikev2/compress/description.txt | 7 +- testing/tests/ikev2/compress/evaltest.dat | 4 +- .../ikev2/compress/hosts/carol/etc/ipsec.conf | 1 + .../ikev2/compress/hosts/carol/etc/strongswan.conf | 2 +- .../tests/ikev2/compress/hosts/moon/etc/ipsec.conf | 1 + .../ikev2/compress/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/compress/posttest.dat | 2 + testing/tests/ikev2/compress/pretest.dat | 2 + .../ikev2/host2host-transport-nat/description.txt | 13 + .../ikev2/host2host-transport-nat/evaltest.dat | 12 + .../hosts/alice/etc/ipsec.conf | 18 + .../hosts/sun/etc/ipsec.conf | 18 + .../hosts/sun/etc/iptables.rules | 28 + .../hosts/venus/etc/ipsec.conf | 18 + .../ikev2/host2host-transport-nat/posttest.dat | 6 + .../ikev2/host2host-transport-nat/pretest.dat | 12 + .../tests/ikev2/host2host-transport-nat/test.conf | 21 + testing/tests/ikev2/ip-pool-db/pretest.dat | 4 +- testing/tests/ikev2/ip-split-pools-db/pretest.dat | 4 +- testing/tests/ikev2/ip-two-pools-db/pretest.dat | 6 +- testing/tests/ikev2/ip-two-pools-mixed/pretest.dat | 4 +- .../tests/ikev2/ip-two-pools-v4v6-db/pretest.dat | 4 +- testing/tests/ikev2/lookip/description.txt | 13 + testing/tests/ikev2/lookip/evaltest.dat | 22 + .../tests/ikev2/lookip/hosts/carol/etc/ipsec.conf | 21 + .../ikev2/lookip/hosts/carol/etc/strongswan.conf | 5 + .../tests/ikev2/lookip/hosts/dave/etc/ipsec.conf | 21 + .../ikev2/lookip/hosts/dave/etc/strongswan.conf | 5 + .../tests/ikev2/lookip/hosts/moon/etc/ipsec.conf | 20 + .../ikev2/lookip/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/lookip/posttest.dat | 6 + testing/tests/ikev2/lookip/pretest.dat | 10 + testing/tests/ikev2/lookip/test.conf | 21 + .../tests/ikev2/net2net-ntru-cert/description.txt | 7 + testing/tests/ikev2/net2net-ntru-cert/evaltest.dat | 9 + .../net2net-ntru-cert/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/strongswan.conf | 15 + .../net2net-ntru-cert/hosts/sun/etc/ipsec.conf | 25 + .../hosts/sun/etc/strongswan.conf | 7 + testing/tests/ikev2/net2net-ntru-cert/posttest.dat | 5 + testing/tests/ikev2/net2net-ntru-cert/pretest.dat | 6 + testing/tests/ikev2/net2net-ntru-cert/test.conf | 21 + testing/tests/ikev2/rw-ntru-psk/description.txt | 13 + testing/tests/ikev2/rw-ntru-psk/evaltest.dat | 22 + .../ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf | 23 + .../rw-ntru-psk/hosts/carol/etc/ipsec.secrets | 3 + .../rw-ntru-psk/hosts/carol/etc/strongswan.conf | 6 + .../ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf | 23 + .../ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets | 3 + .../rw-ntru-psk/hosts/dave/etc/strongswan.conf | 6 + .../ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf | 22 + .../ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets | 5 + .../rw-ntru-psk/hosts/moon/etc/strongswan.conf | 6 + testing/tests/ikev2/rw-ntru-psk/posttest.dat | 6 + testing/tests/ikev2/rw-ntru-psk/pretest.dat | 13 + testing/tests/ikev2/rw-ntru-psk/test.conf | 21 + .../tests/ipv6/rw-compress-ikev2/description.txt | 10 + testing/tests/ipv6/rw-compress-ikev2/evaltest.dat | 13 + .../rw-compress-ikev2/hosts/carol/etc/ipsec.conf | 25 + .../hosts/carol/etc/strongswan.conf | 5 + .../rw-compress-ikev2/hosts/moon/etc/ipsec.conf | 24 + .../hosts/moon/etc/strongswan.conf | 5 + testing/tests/ipv6/rw-compress-ikev2/posttest.dat | 8 + testing/tests/ipv6/rw-compress-ikev2/pretest.dat | 13 + testing/tests/ipv6/rw-compress-ikev2/test.conf | 22 + testing/tests/sql/ip-pool-db-expired/pretest.dat | 6 +- testing/tests/sql/ip-pool-db-restart/pretest.dat | 6 +- testing/tests/sql/ip-pool-db/pretest.dat | 6 +- .../sql/ip-split-pools-db-restart/pretest.dat | 6 +- testing/tests/sql/ip-split-pools-db/pretest.dat | 6 +- testing/tests/sql/multi-level-ca/pretest.dat | 6 +- testing/tests/sql/net2net-cert/pretest.dat | 6 +- testing/tests/sql/net2net-psk/pretest.dat | 6 +- testing/tests/sql/net2net-route-pem/pretest.dat | 4 +- testing/tests/sql/net2net-start-pem/pretest.dat | 4 +- testing/tests/sql/rw-cert/pretest.dat | 6 +- testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 4 +- testing/tests/sql/rw-psk-ipv4/pretest.dat | 6 +- testing/tests/sql/rw-psk-ipv6/pretest.dat | 6 +- testing/tests/sql/rw-psk-rsa-split/pretest.dat | 6 +- testing/tests/sql/rw-rsa-keyid/pretest.dat | 6 +- testing/tests/sql/rw-rsa/pretest.dat | 6 +- testing/tests/sql/shunt-policies/pretest.dat | 6 +- .../hosts/moon/etc/strongswan.conf | 8 + .../hosts/moon/etc/strongswan.conf | 8 + .../hosts/moon/etc/strongswan.conf | 8 + .../multiple-clients/hosts/sun/etc/strongswan.conf | 8 + .../hosts/moon/etc/strongswan.conf | 8 + .../hosts/moon/etc/strongswan.conf | 8 + testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-os/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-pt-tls/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-pts/pretest.dat | 6 +- 862 files changed, 41723 insertions(+), 14293 deletions(-) create mode 100644 conf/Makefile.am create mode 100644 conf/Makefile.in create mode 100644 conf/default.conf create mode 100644 conf/default.opt create mode 100755 conf/format-options.py create mode 100644 conf/options/attest.conf create mode 100644 conf/options/attest.opt create mode 100644 conf/options/charon-logging.conf create mode 100644 conf/options/charon-logging.opt create mode 100644 conf/options/charon.conf create mode 100644 conf/options/charon.opt create mode 100644 conf/options/imcv.conf create mode 100644 conf/options/imcv.opt create mode 100644 conf/options/manager.conf create mode 100644 conf/options/manager.opt create mode 100644 conf/options/medsrv.conf create mode 100644 conf/options/medsrv.opt create mode 100644 conf/options/pacman.conf create mode 100644 conf/options/pacman.opt create mode 100644 conf/options/pool.conf create mode 100644 conf/options/pool.opt create mode 100644 conf/options/starter.conf create mode 100644 conf/options/starter.opt create mode 100644 conf/options/tnc.conf create mode 100644 conf/options/tnc.opt create mode 100644 conf/options/tools.conf create mode 100644 conf/options/tools.opt create mode 100644 conf/plugins/android_log.conf create mode 100644 conf/plugins/android_log.opt create mode 100644 conf/plugins/attr-sql.conf create mode 100644 conf/plugins/attr-sql.opt create mode 100644 conf/plugins/attr.conf create mode 100644 conf/plugins/attr.opt create mode 100644 conf/plugins/certexpire.conf create mode 100644 conf/plugins/certexpire.opt create mode 100644 conf/plugins/coupling.conf create mode 100644 conf/plugins/coupling.opt create mode 100644 conf/plugins/dhcp.conf create mode 100644 conf/plugins/dhcp.opt create mode 100644 conf/plugins/dnscert.conf create mode 100644 conf/plugins/dnscert.opt create mode 100644 conf/plugins/duplicheck.conf create mode 100644 conf/plugins/duplicheck.opt create mode 100644 conf/plugins/eap-aka-3ggp2.conf create mode 100644 conf/plugins/eap-aka-3ggp2.opt create mode 100644 conf/plugins/eap-aka.conf create mode 100644 conf/plugins/eap-aka.opt create mode 100644 conf/plugins/eap-dynamic.conf create mode 100644 conf/plugins/eap-dynamic.opt create mode 100644 conf/plugins/eap-gtc.conf create mode 100644 conf/plugins/eap-gtc.opt create mode 100644 conf/plugins/eap-peap.conf create mode 100644 conf/plugins/eap-peap.opt create mode 100644 conf/plugins/eap-radius.conf create mode 100644 conf/plugins/eap-radius.opt create mode 100644 conf/plugins/eap-sim.conf create mode 100644 conf/plugins/eap-sim.opt create mode 100644 conf/plugins/eap-simaka-sql.conf create mode 100644 conf/plugins/eap-simaka-sql.opt create mode 100644 conf/plugins/eap-tls.conf create mode 100644 conf/plugins/eap-tls.opt create mode 100644 conf/plugins/eap-tnc.conf create mode 100644 conf/plugins/eap-tnc.opt create mode 100644 conf/plugins/eap-ttls.conf create mode 100644 conf/plugins/eap-ttls.opt create mode 100644 conf/plugins/error-notify.conf create mode 100644 conf/plugins/error-notify.opt create mode 100644 conf/plugins/gcrypt.conf create mode 100644 conf/plugins/gcrypt.opt create mode 100644 conf/plugins/ha.conf create mode 100644 conf/plugins/ha.opt create mode 100644 conf/plugins/imc-attestation.conf create mode 100644 conf/plugins/imc-attestation.opt create mode 100644 conf/plugins/imc-os.conf create mode 100644 conf/plugins/imc-os.opt create mode 100644 conf/plugins/imc-scanner.conf create mode 100644 conf/plugins/imc-scanner.opt create mode 100644 conf/plugins/imc-swid.conf create mode 100644 conf/plugins/imc-swid.opt create mode 100644 conf/plugins/imc-test.conf create mode 100644 conf/plugins/imc-test.opt create mode 100644 conf/plugins/imv-attestation.conf create mode 100644 conf/plugins/imv-attestation.opt create mode 100644 conf/plugins/imv-os.conf create mode 100644 conf/plugins/imv-os.opt create mode 100644 conf/plugins/imv-scanner.conf create mode 100644 conf/plugins/imv-scanner.opt create mode 100644 conf/plugins/imv-test.conf create mode 100644 conf/plugins/imv-test.opt create mode 100644 conf/plugins/ipseckey.conf create mode 100644 conf/plugins/ipseckey.opt create mode 100644 conf/plugins/kernel-klips.conf create mode 100644 conf/plugins/kernel-klips.opt create mode 100644 conf/plugins/kernel-libipsec.conf create mode 100644 conf/plugins/kernel-libipsec.opt create mode 100644 conf/plugins/kernel-netlink.conf create mode 100644 conf/plugins/kernel-netlink.opt create mode 100644 conf/plugins/kernel-pfroute.conf create mode 100644 conf/plugins/kernel-pfroute.opt create mode 100644 conf/plugins/led.conf create mode 100644 conf/plugins/led.opt create mode 100644 conf/plugins/load-tester.conf create mode 100644 conf/plugins/load-tester.opt create mode 100644 conf/plugins/lookip.conf create mode 100644 conf/plugins/lookip.opt create mode 100644 conf/plugins/ntru.conf create mode 100644 conf/plugins/ntru.opt create mode 100644 conf/plugins/openssl.conf create mode 100644 conf/plugins/openssl.opt create mode 100644 conf/plugins/pkcs11.conf create mode 100644 conf/plugins/pkcs11.opt create mode 100644 conf/plugins/radattr.conf create mode 100644 conf/plugins/radattr.opt create mode 100644 conf/plugins/random.conf create mode 100644 conf/plugins/random.opt create mode 100644 conf/plugins/resolve.conf create mode 100644 conf/plugins/resolve.opt create mode 100644 conf/plugins/socket-default.conf create mode 100644 conf/plugins/socket-default.opt create mode 100644 conf/plugins/sql.conf create mode 100644 conf/plugins/sql.opt create mode 100644 conf/plugins/stroke.conf create mode 100644 conf/plugins/stroke.opt create mode 100644 conf/plugins/systime-fix.conf create mode 100644 conf/plugins/systime-fix.opt create mode 100644 conf/plugins/tnc-ifmap.conf create mode 100644 conf/plugins/tnc-ifmap.opt create mode 100644 conf/plugins/tnc-imc.conf create mode 100644 conf/plugins/tnc-imc.opt create mode 100644 conf/plugins/tnc-imv.conf create mode 100644 conf/plugins/tnc-imv.opt create mode 100644 conf/plugins/tnc-pdp.conf create mode 100644 conf/plugins/tnc-pdp.opt create mode 100644 conf/plugins/tnccs-11.conf create mode 100644 conf/plugins/tnccs-11.opt create mode 100644 conf/plugins/tnccs-20.conf create mode 100644 conf/plugins/tnccs-20.opt create mode 100644 conf/plugins/unbound.conf create mode 100644 conf/plugins/unbound.opt create mode 100644 conf/plugins/updown.conf create mode 100644 conf/plugins/updown.opt create mode 100644 conf/plugins/whitelist.conf create mode 100644 conf/plugins/whitelist.opt create mode 100644 conf/plugins/xauth-eap.conf create mode 100644 conf/plugins/xauth-eap.opt create mode 100644 conf/plugins/xauth-pam.conf create mode 100644 conf/plugins/xauth-pam.opt create mode 100644 conf/strongswan.conf create mode 100644 conf/strongswan.conf.5.head.in create mode 100644 conf/strongswan.conf.5.main create mode 100644 conf/strongswan.conf.5.tail.in delete mode 100644 man/strongswan.conf.5.in delete mode 100644 src/charon-tkm/tests/test_runner.c delete mode 100644 src/charon-tkm/tests/test_runner.h create mode 100644 src/charon-tkm/tests/tests.c create mode 100644 src/charon-tkm/tests/tests.h create mode 100644 src/libcharon/plugins/xauth_pam/xauth_pam_listener.c create mode 100644 src/libcharon/plugins/xauth_pam/xauth_pam_listener.h create mode 100644 src/libstrongswan/plugins/ntru/Makefile.am create mode 100644 src/libstrongswan/plugins/ntru/Makefile.in create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_drbg.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_drbg.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_ke.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_ke.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_mgf1.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_mgf1.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_plugin.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_plugin.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_poly.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_poly.h create mode 100644 src/libstrongswan/plugins/ntru/ntru_trits.c create mode 100644 src/libstrongswan/plugins/ntru/ntru_trits.h create mode 100644 src/libstrongswan/tests/suites/test_array.c create mode 100644 src/libstrongswan/tests/suites/test_asn1.c create mode 100644 src/libstrongswan/tests/suites/test_asn1_parser.c create mode 100644 src/libstrongswan/tests/suites/test_bio_reader.c create mode 100644 src/libstrongswan/tests/suites/test_bio_writer.c create mode 100644 src/libstrongswan/tests/suites/test_chunk.c create mode 100644 src/libstrongswan/tests/suites/test_crypter.c create mode 100644 src/libstrongswan/tests/suites/test_ecdsa.c create mode 100644 src/libstrongswan/tests/suites/test_enum.c create mode 100644 src/libstrongswan/tests/suites/test_enumerator.c create mode 100644 src/libstrongswan/tests/suites/test_fetch_http.c create mode 100644 src/libstrongswan/tests/suites/test_hasher.c create mode 100644 src/libstrongswan/tests/suites/test_hashtable.c create mode 100644 src/libstrongswan/tests/suites/test_host.c create mode 100644 src/libstrongswan/tests/suites/test_identification.c create mode 100644 src/libstrongswan/tests/suites/test_linked_list.c create mode 100644 src/libstrongswan/tests/suites/test_linked_list_enumerator.c create mode 100644 src/libstrongswan/tests/suites/test_ntru.c create mode 100644 src/libstrongswan/tests/suites/test_pen.c create mode 100644 src/libstrongswan/tests/suites/test_printf.c create mode 100644 src/libstrongswan/tests/suites/test_rsa.c create mode 100644 src/libstrongswan/tests/suites/test_settings.c create mode 100644 src/libstrongswan/tests/suites/test_stream.c create mode 100644 src/libstrongswan/tests/suites/test_test_rng.c create mode 100644 src/libstrongswan/tests/suites/test_threading.c create mode 100644 src/libstrongswan/tests/suites/test_utils.c create mode 100644 src/libstrongswan/tests/suites/test_vectors.c create mode 100644 src/libstrongswan/tests/suites/test_watcher.c delete mode 100644 src/libstrongswan/tests/test_array.c delete mode 100644 src/libstrongswan/tests/test_bio_reader.c delete mode 100644 src/libstrongswan/tests/test_bio_writer.c delete mode 100644 src/libstrongswan/tests/test_chunk.c delete mode 100644 src/libstrongswan/tests/test_ecdsa.c delete mode 100644 src/libstrongswan/tests/test_enum.c delete mode 100644 src/libstrongswan/tests/test_enumerator.c delete mode 100644 src/libstrongswan/tests/test_hashtable.c delete mode 100644 src/libstrongswan/tests/test_host.c delete mode 100644 src/libstrongswan/tests/test_identification.c delete mode 100644 src/libstrongswan/tests/test_linked_list.c delete mode 100644 src/libstrongswan/tests/test_linked_list_enumerator.c delete mode 100644 src/libstrongswan/tests/test_printf.c delete mode 100644 src/libstrongswan/tests/test_rsa.c create mode 100644 src/libstrongswan/tests/test_suite.c delete mode 100644 src/libstrongswan/tests/test_threading.c delete mode 100644 src/libstrongswan/tests/test_utils.c delete mode 100644 src/libstrongswan/tests/test_vectors.c create mode 100644 src/libstrongswan/tests/tests.c create mode 100644 src/libstrongswan/tests/tests.h create mode 100644 src/libstrongswan/tests/utils/test_rng.c create mode 100644 src/libstrongswan/tests/utils/test_rng.h create mode 100644 src/libstrongswan/utils/test.c create mode 100644 src/libstrongswan/utils/test.h create mode 100644 src/libstrongswan/utils/utils/strerror.c create mode 100644 src/libstrongswan/utils/utils/strerror.h create mode 100644 src/pool/mysql.sql create mode 100644 src/pool/sqlite.sql delete mode 100644 src/strongswan.conf delete mode 100755 test-driver create mode 100644 testing/config/kernel/config-3.12 create mode 100644 testing/config/kernel/config-3.13 delete mode 100644 testing/hosts/default/etc/ipsec.d/tables.sql delete mode 100644 testing/hosts/default/etc/pts/data.sql delete mode 100644 testing/hosts/default/etc/pts/tables.sql create mode 100755 testing/ssh create mode 100644 testing/tests/ikev1/net2net-ntru-cert/description.txt create mode 100644 testing/tests/ikev1/net2net-ntru-cert/evaltest.dat create mode 100644 testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev1/net2net-ntru-cert/posttest.dat create mode 100644 testing/tests/ikev1/net2net-ntru-cert/pretest.dat create mode 100644 testing/tests/ikev1/net2net-ntru-cert/test.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/description.txt create mode 100644 testing/tests/ikev1/rw-ntru-psk/evaltest.dat create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/rw-ntru-psk/posttest.dat create mode 100644 testing/tests/ikev1/rw-ntru-psk/pretest.dat create mode 100644 testing/tests/ikev1/rw-ntru-psk/test.conf create mode 100644 testing/tests/ikev2/compress-nat/description.txt create mode 100644 testing/tests/ikev2/compress-nat/evaltest.dat create mode 100644 testing/tests/ikev2/compress-nat/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/bob/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/iptables.rules create mode 100644 testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress-nat/posttest.dat create mode 100644 testing/tests/ikev2/compress-nat/pretest.dat create mode 100644 testing/tests/ikev2/compress-nat/test.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/description.txt create mode 100644 testing/tests/ikev2/host2host-transport-nat/evaltest.dat create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-nat/posttest.dat create mode 100644 testing/tests/ikev2/host2host-transport-nat/pretest.dat create mode 100644 testing/tests/ikev2/host2host-transport-nat/test.conf create mode 100644 testing/tests/ikev2/lookip/description.txt create mode 100644 testing/tests/ikev2/lookip/evaltest.dat create mode 100644 testing/tests/ikev2/lookip/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/lookip/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/lookip/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/lookip/posttest.dat create mode 100644 testing/tests/ikev2/lookip/pretest.dat create mode 100644 testing/tests/ikev2/lookip/test.conf create mode 100644 testing/tests/ikev2/net2net-ntru-cert/description.txt create mode 100644 testing/tests/ikev2/net2net-ntru-cert/evaltest.dat create mode 100644 testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-ntru-cert/posttest.dat create mode 100644 testing/tests/ikev2/net2net-ntru-cert/pretest.dat create mode 100644 testing/tests/ikev2/net2net-ntru-cert/test.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/description.txt create mode 100644 testing/tests/ikev2/rw-ntru-psk/evaltest.dat create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-ntru-psk/posttest.dat create mode 100644 testing/tests/ikev2/rw-ntru-psk/pretest.dat create mode 100644 testing/tests/ikev2/rw-ntru-psk/test.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/description.txt create mode 100644 testing/tests/ipv6/rw-compress-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-compress-ikev2/posttest.dat create mode 100644 testing/tests/ipv6/rw-compress-ikev2/pretest.dat create mode 100644 testing/tests/ipv6/rw-compress-ikev2/test.conf create mode 100644 testing/tests/tkm/host2host-initiator/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tkm/host2host-responder/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tkm/multiple-clients/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/tkm/net2net-initiator/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/strongswan.conf diff --git a/Android.common.mk b/Android.common.mk index a28a1a7a0..14abca868 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.1.1" +strongswan_VERSION := "5.1.2" diff --git a/Android.mk b/Android.mk index aa61cc0e7..6ad220b7a 100644 --- a/Android.mk +++ b/Android.mk @@ -36,7 +36,6 @@ include $(LOCAL_PATH)/Android.common.mk # includes strongswan_PATH := $(LOCAL_PATH) -libvstr_PATH := external/strongswan-support/vstr/include libcurl_PATH := external/strongswan-support/libcurl/include libgmp_PATH := external/strongswan-support/gmp openssl_PATH := external/openssl/include @@ -77,7 +76,7 @@ strongswan_CFLAGS := \ -DMONOLITHIC \ -DUSE_IKEV1 \ -DUSE_IKEV2 \ - -DUSE_VSTR \ + -DUSE_BUILTIN_PRINTF \ -DDEBUG \ -DROUTING_TABLE=0 \ -DROUTING_TABLE_PRIO=220 \ diff --git a/Doxyfile.in b/Doxyfile.in index ac0a96c88..af172e34e 100644 --- a/Doxyfile.in +++ b/Doxyfile.in @@ -487,7 +487,7 @@ SORT_MEMBERS_CTORS_1ST = NO # hierarchy of group names into alphabetical order. If set to NO (the default) # the group names will appear in their defined order. -SORT_GROUP_NAMES = NO +SORT_GROUP_NAMES = YES # If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be # sorted by fully-qualified names, including namespaces. If set to diff --git a/Makefile.am b/Makefile.am index 0e08794c1..7e3c72b3b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,4 @@ -SUBDIRS = src man init testing +SUBDIRS = src man conf init testing if USE_SCRIPTS SUBDIRS += scripts @@ -20,6 +20,9 @@ config_includedir = $(ipseclibdir)/include nodist_config_include_HEADERS = config.h endif +# we leave config files behind intentionally so prevent distcheck from complaining +distuninstallcheck_listfiles = find . -type f \! -name '*.conf' -print + Android.common.mk : Android.common.mk.in configure.ac $(AM_V_GEN) \ sed \ @@ -39,7 +42,7 @@ apidoc : Doxyfile cov-reset-common: @rm -rf $(top_builddir)/coverage - @find $(top_builddir)/{src,scripts} -name "*.gcda" -delete + @find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcda" -delete if COVERAGE cov-reset: cov-reset-common @@ -47,10 +50,12 @@ cov-reset: cov-reset-common cov-report: @mkdir $(top_builddir)/coverage - lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) + lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \ + --rc lcov_branch_coverage=1 lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \ - -o $(top_builddir)/coverage/coverage.cleaned.info - genhtml --num-spaces 4 --legend \ + -o $(top_builddir)/coverage/coverage.cleaned.info \ + --rc lcov_branch_coverage=1 + genhtml --num-spaces 4 --legend --branch-coverage \ -t "$(PACKAGE_STRING)" \ -o $(top_builddir)/coverage/html \ -p `readlink -m $(abs_top_srcdir)`/src \ @@ -67,7 +72,7 @@ coverage: endif clean-local: cov-reset-common - @find $(top_builddir)/{src,scripts} -name "*.gcno" -delete + @find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcno" -delete @rm -rf apidoc .PHONY: cov-reset-common cov-reset cov-report coverage diff --git a/Makefile.in b/Makefile.in index 7e0df99c8..a81e93f0f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -190,7 +190,7 @@ am__define_uniq_tagged_files = \ ETAGS = etags CTAGS = ctags CSCOPE = cscope -DIST_SUBDIRS = src man init testing scripts +DIST_SUBDIRS = src man conf init testing scripts DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -229,7 +229,6 @@ am__relativize = \ DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip -distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' distcleancheck_listfiles = find . -type f -print @@ -247,8 +246,6 @@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ -CHECK_CFLAGS = @CHECK_CFLAGS@ -CHECK_LIBS = @CHECK_LIBS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ @@ -316,6 +313,11 @@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -404,12 +406,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ @@ -424,6 +430,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -434,7 +441,7 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -SUBDIRS = src man init testing $(am__append_1) +SUBDIRS = src man conf init testing $(am__append_1) @USE_SILENT_RULES_TRUE@AM_MAKEFLAGS = -s ACLOCAL_AMFLAGS = -I m4/config EXTRA_DIST = Doxyfile.in LICENSE Android.common.mk.in Android.common.mk Android.mk @@ -443,6 +450,9 @@ BUILT_SOURCES = Android.common.mk MAINTAINERCLEANFILES = Android.common.mk @USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include @USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h + +# we leave config files behind intentionally so prevent distcheck from complaining +distuninstallcheck_listfiles = find . -type f \! -name '*.conf' -print all: $(BUILT_SOURCES) config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -971,17 +981,19 @@ apidoc : Doxyfile cov-reset-common: @rm -rf $(top_builddir)/coverage - @find $(top_builddir)/{src,scripts} -name "*.gcda" -delete + @find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcda" -delete @COVERAGE_TRUE@cov-reset: cov-reset-common @COVERAGE_TRUE@ @lcov --zerocounters --directory $(top_builddir) @COVERAGE_TRUE@cov-report: @COVERAGE_TRUE@ @mkdir $(top_builddir)/coverage -@COVERAGE_TRUE@ lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) +@COVERAGE_TRUE@ lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \ +@COVERAGE_TRUE@ --rc lcov_branch_coverage=1 @COVERAGE_TRUE@ lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \ -@COVERAGE_TRUE@ -o $(top_builddir)/coverage/coverage.cleaned.info -@COVERAGE_TRUE@ genhtml --num-spaces 4 --legend \ +@COVERAGE_TRUE@ -o $(top_builddir)/coverage/coverage.cleaned.info \ +@COVERAGE_TRUE@ --rc lcov_branch_coverage=1 +@COVERAGE_TRUE@ genhtml --num-spaces 4 --legend --branch-coverage \ @COVERAGE_TRUE@ -t "$(PACKAGE_STRING)" \ @COVERAGE_TRUE@ -o $(top_builddir)/coverage/html \ @COVERAGE_TRUE@ -p `readlink -m $(abs_top_srcdir)`/src \ @@ -996,7 +1008,7 @@ cov-reset-common: @COVERAGE_FALSE@ @echo "reconfigure with --enable-coverage" clean-local: cov-reset-common - @find $(top_builddir)/{src,scripts} -name "*.gcno" -delete + @find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcno" -delete @rm -rf apidoc .PHONY: cov-reset-common cov-reset cov-report coverage diff --git a/NEWS b/NEWS index 35edec9b4..0d22295d4 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,49 @@ +strongswan-5.1.2 +---------------- + +- A new default configuration file layout is introduced. The new default + strongswan.conf file mainly includes config snippets from the strongswan.d + and strongswan.d/charon directories (the latter containing snippets for all + plugins). The snippets, with commented defaults, are automatically + generated and installed, if they don't exist yet. They are also installed + in $prefix/share/strongswan/templates so existing files can be compared to + the current defaults. + +- As an alternative to the non-extensible charon.load setting, the plugins + to load in charon (and optionally other applications) can now be determined + via the charon.plugins..load setting for each plugin (enabled in the + new default strongswan.conf file via the charon.load_modular option). + The load setting optionally takes a numeric priority value that allows + reordering the plugins (otherwise the default plugin order is preserved). + +- All strongswan.conf settings that were formerly defined in library specific + "global" sections are now application specific (e.g. settings for plugins in + libstrongswan.plugins can now be set only for charon in charon.plugins). + The old options are still supported, which now allows to define defaults for + all applications in the libstrongswan section. + +- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum + computer IKE key exchange mechanism. The implementation is based on the + ntru-crypto library from the NTRUOpenSourceProject. The supported security + strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH + group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be + sent (charon.send_vendor_id = yes) in order to use NTRU. + +- Defined a TPMRA remote attestation workitem and added support for it to the + Attestation IMV. + +- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as + well as multiple subnets in left|rightsubnet have been fixed. + +- When enabling its "session" strongswan.conf option, the xauth-pam plugin opens + and closes a PAM session for each established IKE_SA. Patch courtesy of + Andrea Bonomi. + +- The strongSwan unit testing framework has been rewritten without the "check" + dependency for improved flexibility and portability. It now properly supports + multi-threaded and memory leak testing and brings a bunch of new test cases. + + strongswan-5.1.1 ---------------- diff --git a/aclocal.m4 b/aclocal.m4 index 73b6cbd9f..e8f46245d 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -494,6 +494,43 @@ AC_PREREQ([2.50])dnl am_aux_dir=`cd $ac_aux_dir && pwd` ]) +# AM_COND_IF -*- Autoconf -*- + +# Copyright (C) 2008-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_COND_IF +# _AM_COND_ELSE +# _AM_COND_ENDIF +# -------------- +# These macros are only used for tracing. +m4_define([_AM_COND_IF]) +m4_define([_AM_COND_ELSE]) +m4_define([_AM_COND_ENDIF]) + +# AM_COND_IF(COND, [IF-TRUE], [IF-FALSE]) +# --------------------------------------- +# If the shell condition COND is true, execute IF-TRUE, otherwise execute +# IF-FALSE. Allow automake to learn about conditional instantiating macros +# (the AC_CONFIG_FOOS). +AC_DEFUN([AM_COND_IF], +[m4_ifndef([_AM_COND_VALUE_$1], + [m4_fatal([$0: no such condition "$1"])])dnl +_AM_COND_IF([$1])dnl +if test -z "$$1_TRUE"; then : + m4_n([$2])[]dnl +m4_ifval([$3], +[_AM_COND_ELSE([$1])dnl +else + $3 +])dnl +_AM_COND_ENDIF([$1])dnl +fi[]dnl +]) + # AM_CONDITIONAL -*- Autoconf -*- # Copyright (C) 1997-2013 Free Software Foundation, Inc. @@ -1133,6 +1170,241 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) +# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + + +# AM_PATH_PYTHON([MINIMUM-VERSION], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# --------------------------------------------------------------------------- +# Adds support for distributing Python modules and packages. To +# install modules, copy them to $(pythondir), using the python_PYTHON +# automake variable. To install a package with the same name as the +# automake package, install to $(pkgpythondir), or use the +# pkgpython_PYTHON automake variable. +# +# The variables $(pyexecdir) and $(pkgpyexecdir) are provided as +# locations to install python extension modules (shared libraries). +# Another macro is required to find the appropriate flags to compile +# extension modules. +# +# If your package is configured with a different prefix to python, +# users will have to add the install directory to the PYTHONPATH +# environment variable, or create a .pth file (see the python +# documentation for details). +# +# If the MINIMUM-VERSION argument is passed, AM_PATH_PYTHON will +# cause an error if the version of python installed on the system +# doesn't meet the requirement. MINIMUM-VERSION should consist of +# numbers and dots only. +AC_DEFUN([AM_PATH_PYTHON], + [ + dnl Find a Python interpreter. Python versions prior to 2.0 are not + dnl supported. (2.0 was released on October 16, 2000). + m4_define_default([_AM_PYTHON_INTERPRETER_LIST], +[python python2 python3 python3.3 python3.2 python3.1 python3.0 python2.7 dnl + python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0]) + + AC_ARG_VAR([PYTHON], [the Python interpreter]) + + m4_if([$1],[],[ + dnl No version check is needed. + # Find any Python interpreter. + if test -z "$PYTHON"; then + AC_PATH_PROGS([PYTHON], _AM_PYTHON_INTERPRETER_LIST, :) + fi + am_display_PYTHON=python + ], [ + dnl A version check is needed. + if test -n "$PYTHON"; then + # If the user set $PYTHON, use it and don't search something else. + AC_MSG_CHECKING([whether $PYTHON version is >= $1]) + AM_PYTHON_CHECK_VERSION([$PYTHON], [$1], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([Python interpreter is too old])]) + am_display_PYTHON=$PYTHON + else + # Otherwise, try each interpreter until we find one that satisfies + # VERSION. + AC_CACHE_CHECK([for a Python interpreter with version >= $1], + [am_cv_pathless_PYTHON],[ + for am_cv_pathless_PYTHON in _AM_PYTHON_INTERPRETER_LIST none; do + test "$am_cv_pathless_PYTHON" = none && break + AM_PYTHON_CHECK_VERSION([$am_cv_pathless_PYTHON], [$1], [break]) + done]) + # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. + if test "$am_cv_pathless_PYTHON" = none; then + PYTHON=: + else + AC_PATH_PROG([PYTHON], [$am_cv_pathless_PYTHON]) + fi + am_display_PYTHON=$am_cv_pathless_PYTHON + fi + ]) + + if test "$PYTHON" = :; then + dnl Run any user-specified action, or abort. + m4_default([$3], [AC_MSG_ERROR([no suitable Python interpreter found])]) + else + + dnl Query Python for its version number. Getting [:3] seems to be + dnl the best way to do this; it's what "site.py" does in the standard + dnl library. + + AC_CACHE_CHECK([for $am_display_PYTHON version], [am_cv_python_version], + [am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[[:3]])"`]) + AC_SUBST([PYTHON_VERSION], [$am_cv_python_version]) + + dnl Use the values of $prefix and $exec_prefix for the corresponding + dnl values of PYTHON_PREFIX and PYTHON_EXEC_PREFIX. These are made + dnl distinct variables so they can be overridden if need be. However, + dnl general consensus is that you shouldn't need this ability. + + AC_SUBST([PYTHON_PREFIX], ['${prefix}']) + AC_SUBST([PYTHON_EXEC_PREFIX], ['${exec_prefix}']) + + dnl At times (like when building shared libraries) you may want + dnl to know which OS platform Python thinks this is. + + AC_CACHE_CHECK([for $am_display_PYTHON platform], [am_cv_python_platform], + [am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`]) + AC_SUBST([PYTHON_PLATFORM], [$am_cv_python_platform]) + + # Just factor out some code duplication. + am_python_setup_sysconfig="\ +import sys +# Prefer sysconfig over distutils.sysconfig, for better compatibility +# with python 3.x. See automake bug#10227. +try: + import sysconfig +except ImportError: + can_use_sysconfig = 0 +else: + can_use_sysconfig = 1 +# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: +# +try: + from platform import python_implementation + if python_implementation() == 'CPython' and sys.version[[:3]] == '2.7': + can_use_sysconfig = 0 +except ImportError: + pass" + + dnl Set up 4 directories: + + dnl pythondir -- where to install python scripts. This is the + dnl site-packages directory, not the python standard library + dnl directory like in previous automake betas. This behavior + dnl is more consistent with lispdir.m4 for example. + dnl Query distutils for this directory. + AC_CACHE_CHECK([for $am_display_PYTHON script directory], + [am_cv_python_pythondir], + [if test "x$prefix" = xNONE + then + am_py_prefix=$ac_default_prefix + else + am_py_prefix=$prefix + fi + am_cv_python_pythondir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pythondir in + $am_py_prefix*) + am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` + am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` + ;; + *) + case $am_py_prefix in + /usr|/System*) ;; + *) + am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + ]) + AC_SUBST([pythondir], [$am_cv_python_pythondir]) + + dnl pkgpythondir -- $PACKAGE directory under pythondir. Was + dnl PYTHON_SITE_PACKAGE in previous betas, but this naming is + dnl more consistent with the rest of automake. + + AC_SUBST([pkgpythondir], [\${pythondir}/$PACKAGE]) + + dnl pyexecdir -- directory for installing python extension modules + dnl (shared libraries) + dnl Query distutils for this directory. + AC_CACHE_CHECK([for $am_display_PYTHON extension module directory], + [am_cv_python_pyexecdir], + [if test "x$exec_prefix" = xNONE + then + am_py_exec_prefix=$am_py_prefix + else + am_py_exec_prefix=$exec_prefix + fi + am_cv_python_pyexecdir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pyexecdir in + $am_py_exec_prefix*) + am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` + am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` + ;; + *) + case $am_py_exec_prefix in + /usr|/System*) ;; + *) + am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + ]) + AC_SUBST([pyexecdir], [$am_cv_python_pyexecdir]) + + dnl pkgpyexecdir -- $(pyexecdir)/$(PACKAGE) + + AC_SUBST([pkgpyexecdir], [\${pyexecdir}/$PACKAGE]) + + dnl Run any user-specified action. + $2 + fi + +]) + + +# AM_PYTHON_CHECK_VERSION(PROG, VERSION, [ACTION-IF-TRUE], [ACTION-IF-FALSE]) +# --------------------------------------------------------------------------- +# Run ACTION-IF-TRUE if the Python interpreter PROG has version >= VERSION. +# Run ACTION-IF-FALSE otherwise. +# This test uses sys.hexversion instead of the string equivalent (first +# word of sys.version), in order to cope with versions such as 2.2c1. +# This supports Python 2.0 or higher. (2.0 was released on October 16, 2000). +AC_DEFUN([AM_PYTHON_CHECK_VERSION], + [prog="import sys +# split strings by '.' and convert to numeric. Append some zeros +# because we need at least 4 digits for the hex conversion. +# map returns an iterator in Python 3.0 and a list in 2.x +minver = list(map(int, '$2'.split('.'))) + [[0, 0, 0]] +minverhex = 0 +# xrange is not present in Python 3.0 and range returns an iterator +for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]] +sys.exit(sys.hexversion < minverhex)" + AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])]) + # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation diff --git a/conf/Makefile.am b/conf/Makefile.am new file mode 100644 index 000000000..61a0add4d --- /dev/null +++ b/conf/Makefile.am @@ -0,0 +1,163 @@ +# make this relative to the location of strongswan.conf +strongswanconfdir = `dirname $(strongswan_conf)` +strongswanddir = $(strongswanconfdir)/strongswan.d +charonconfdir = $(strongswanddir)/charon +# copy these files also to /usr/share +templatesdir = $(pkgdatadir)/templates/config +optionstemplatedir = $(templatesdir)/strongswan.d +pluginstemplatedir = $(templatesdir)/plugins + +options = \ + options/attest.opt \ + options/charon.opt \ + options/charon-logging.opt \ + options/imcv.opt \ + options/manager.opt \ + options/medsrv.opt \ + options/pacman.opt \ + options/pool.opt \ + options/starter.opt \ + options/tnc.opt \ + options/tools.opt + +plugins = \ + plugins/android_log.opt \ + plugins/attr.opt \ + plugins/attr-sql.opt \ + plugins/certexpire.opt \ + plugins/coupling.opt \ + plugins/dhcp.opt \ + plugins/dnscert.opt \ + plugins/duplicheck.opt \ + plugins/eap-aka.opt \ + plugins/eap-aka-3ggp2.opt \ + plugins/eap-dynamic.opt \ + plugins/eap-gtc.opt \ + plugins/eap-peap.opt \ + plugins/eap-radius.opt \ + plugins/eap-sim.opt \ + plugins/eap-simaka-sql.opt \ + plugins/eap-tls.opt \ + plugins/eap-tnc.opt \ + plugins/eap-ttls.opt \ + plugins/error-notify.opt \ + plugins/gcrypt.opt \ + plugins/ha.opt \ + plugins/imc-attestation.opt \ + plugins/imc-os.opt \ + plugins/imc-scanner.opt \ + plugins/imc-swid.opt \ + plugins/imc-test.opt \ + plugins/imv-attestation.opt \ + plugins/imv-os.opt \ + plugins/imv-scanner.opt \ + plugins/imv-test.opt \ + plugins/ipseckey.opt \ + plugins/led.opt \ + plugins/kernel-klips.opt \ + plugins/kernel-libipsec.opt \ + plugins/kernel-netlink.opt \ + plugins/kernel-pfroute.opt \ + plugins/load-tester.opt \ + plugins/lookip.opt \ + plugins/ntru.opt \ + plugins/openssl.opt \ + plugins/pkcs11.opt \ + plugins/radattr.opt \ + plugins/random.opt \ + plugins/resolve.opt \ + plugins/socket-default.opt \ + plugins/sql.opt \ + plugins/stroke.opt \ + plugins/systime-fix.opt \ + plugins/tnc-ifmap.opt \ + plugins/tnc-imc.opt \ + plugins/tnc-imv.opt \ + plugins/tnc-pdp.opt \ + plugins/tnccs-11.opt \ + plugins/tnccs-20.opt \ + plugins/unbound.opt \ + plugins/updown.opt \ + plugins/whitelist.opt \ + plugins/xauth-eap.opt \ + plugins/xauth-pam.opt + +alloptions = $(options) $(plugins) + +confsnippets = $(alloptions:opt=conf) + +# we only install snippets for enabled plugins +plugins_install_tmp = $(charon_plugins:%=plugins/%.tmp) +plugins_install_src = $(charon_plugins:%=plugins/%.conf) +# only install snippets for enabled components +# has to be defined via autoconf as we can't do it with automake conditionals +options_install_src = $(strongswan_options:%=options/%.conf) + +templates_DATA = strongswan.conf +optionstemplate_DATA = $(options_install_src) +pluginstemplate_DATA = $(plugins_install_src) +man_MANS = \ + strongswan.conf.5 + +BUILT_SOURCES = default.conf strongswan.conf.5.main $(confsnippets) +EXTRA_DIST = format-options.py strongswan.conf default.opt \ + default.conf strongswan.conf.5.main $(alloptions) $(confsnippets) + +CLEANFILES=$(man_MANS) + +.opt.conf: + $(AM_V_GEN) \ + case "$<" in \ + *plugins/*) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .opt`:" \ + $(srcdir)/default.opt | cat - $< | \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins > $(srcdir)/$@ \ + ;; \ + *) \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins $< > $(srcdir)/$@ \ + ;; \ + esac + +# we need another implicit rule to generate files from the generic template only +# if the rules above did not catch it. this requires an intermediate step that +# generates a copy of the generic config template. +$(plugins_install_tmp): + @mkdir -p $(builddir)/plugins + @cp $(srcdir)/default.conf $(builddir)/$@ + +.tmp.conf: + $(AM_V_GEN) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .tmp`:" \ + $(builddir)/$< > $(builddir)/$@ + +strongswan.conf.5.main: $(alloptions) + $(AM_V_GEN) \ + cd $(srcdir) && $(PYTHON) format-options.py -f man $(alloptions) > $@ + +strongswan.conf.5: strongswan.conf.5.head strongswan.conf.5.main strongswan.conf.5.tail + $(AM_V_GEN) \ + cat strongswan.conf.5.head $(srcdir)/strongswan.conf.5.main strongswan.conf.5.tail > $@ + +clean-local: + rm -f plugins/*.conf plugins/*.tmp + +maintainer-clean-local: + cd $(srcdir) && \ + rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp + +install-data-local: $(plugins_install_src) + test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" + test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" + test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" + test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true + for f in $(options_install_src); do \ + name=`basename $$f`; \ + test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \ + done + for f in $(plugins_install_src); do \ + name=`basename $$f`; \ + if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ + test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \ + done diff --git a/conf/Makefile.in b/conf/Makefile.in new file mode 100644 index 000000000..d92593219 --- /dev/null +++ b/conf/Makefile.in @@ -0,0 +1,873 @@ +# Makefile.in generated by automake 1.13.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = conf +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(srcdir)/strongswan.conf.5.head.in \ + $(srcdir)/strongswan.conf.5.tail.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = strongswan.conf.5.head strongswan.conf.5.tail +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man5dir = $(mandir)/man5 +am__installdirs = "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(optionstemplatedir)" \ + "$(DESTDIR)$(pluginstemplatedir)" "$(DESTDIR)$(templatesdir)" +NROFF = nroff +MANS = $(man_MANS) +DATA = $(optionstemplate_DATA) $(pluginstemplate_DATA) \ + $(templates_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ + +# make this relative to the location of strongswan.conf +strongswanconfdir = `dirname $(strongswan_conf)` +strongswanddir = $(strongswanconfdir)/strongswan.d +charonconfdir = $(strongswanddir)/charon +# copy these files also to /usr/share +templatesdir = $(pkgdatadir)/templates/config +optionstemplatedir = $(templatesdir)/strongswan.d +pluginstemplatedir = $(templatesdir)/plugins +options = \ + options/attest.opt \ + options/charon.opt \ + options/charon-logging.opt \ + options/imcv.opt \ + options/manager.opt \ + options/medsrv.opt \ + options/pacman.opt \ + options/pool.opt \ + options/starter.opt \ + options/tnc.opt \ + options/tools.opt + +plugins = \ + plugins/android_log.opt \ + plugins/attr.opt \ + plugins/attr-sql.opt \ + plugins/certexpire.opt \ + plugins/coupling.opt \ + plugins/dhcp.opt \ + plugins/dnscert.opt \ + plugins/duplicheck.opt \ + plugins/eap-aka.opt \ + plugins/eap-aka-3ggp2.opt \ + plugins/eap-dynamic.opt \ + plugins/eap-gtc.opt \ + plugins/eap-peap.opt \ + plugins/eap-radius.opt \ + plugins/eap-sim.opt \ + plugins/eap-simaka-sql.opt \ + plugins/eap-tls.opt \ + plugins/eap-tnc.opt \ + plugins/eap-ttls.opt \ + plugins/error-notify.opt \ + plugins/gcrypt.opt \ + plugins/ha.opt \ + plugins/imc-attestation.opt \ + plugins/imc-os.opt \ + plugins/imc-scanner.opt \ + plugins/imc-swid.opt \ + plugins/imc-test.opt \ + plugins/imv-attestation.opt \ + plugins/imv-os.opt \ + plugins/imv-scanner.opt \ + plugins/imv-test.opt \ + plugins/ipseckey.opt \ + plugins/led.opt \ + plugins/kernel-klips.opt \ + plugins/kernel-libipsec.opt \ + plugins/kernel-netlink.opt \ + plugins/kernel-pfroute.opt \ + plugins/load-tester.opt \ + plugins/lookip.opt \ + plugins/ntru.opt \ + plugins/openssl.opt \ + plugins/pkcs11.opt \ + plugins/radattr.opt \ + plugins/random.opt \ + plugins/resolve.opt \ + plugins/socket-default.opt \ + plugins/sql.opt \ + plugins/stroke.opt \ + plugins/systime-fix.opt \ + plugins/tnc-ifmap.opt \ + plugins/tnc-imc.opt \ + plugins/tnc-imv.opt \ + plugins/tnc-pdp.opt \ + plugins/tnccs-11.opt \ + plugins/tnccs-20.opt \ + plugins/unbound.opt \ + plugins/updown.opt \ + plugins/whitelist.opt \ + plugins/xauth-eap.opt \ + plugins/xauth-pam.opt + +alloptions = $(options) $(plugins) +confsnippets = $(alloptions:opt=conf) + +# we only install snippets for enabled plugins +plugins_install_tmp = $(charon_plugins:%=plugins/%.tmp) +plugins_install_src = $(charon_plugins:%=plugins/%.conf) +# only install snippets for enabled components +# has to be defined via autoconf as we can't do it with automake conditionals +options_install_src = $(strongswan_options:%=options/%.conf) +templates_DATA = strongswan.conf +optionstemplate_DATA = $(options_install_src) +pluginstemplate_DATA = $(plugins_install_src) +man_MANS = \ + strongswan.conf.5 + +BUILT_SOURCES = default.conf strongswan.conf.5.main $(confsnippets) +EXTRA_DIST = format-options.py strongswan.conf default.opt \ + default.conf strongswan.conf.5.main $(alloptions) $(confsnippets) + +CLEANFILES = $(man_MANS) +all: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) all-am + +.SUFFIXES: +.SUFFIXES: .conf .opt .tmp +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu conf/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu conf/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +strongswan.conf.5.head: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.head.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +strongswan.conf.5.tail: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.tail.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-optionstemplateDATA: $(optionstemplate_DATA) + @$(NORMAL_INSTALL) + @list='$(optionstemplate_DATA)'; test -n "$(optionstemplatedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(optionstemplatedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(optionstemplatedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(optionstemplatedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(optionstemplatedir)" || exit $$?; \ + done + +uninstall-optionstemplateDATA: + @$(NORMAL_UNINSTALL) + @list='$(optionstemplate_DATA)'; test -n "$(optionstemplatedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(optionstemplatedir)'; $(am__uninstall_files_from_dir) +install-pluginstemplateDATA: $(pluginstemplate_DATA) + @$(NORMAL_INSTALL) + @list='$(pluginstemplate_DATA)'; test -n "$(pluginstemplatedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pluginstemplatedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pluginstemplatedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pluginstemplatedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pluginstemplatedir)" || exit $$?; \ + done + +uninstall-pluginstemplateDATA: + @$(NORMAL_UNINSTALL) + @list='$(pluginstemplate_DATA)'; test -n "$(pluginstemplatedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pluginstemplatedir)'; $(am__uninstall_files_from_dir) +install-templatesDATA: $(templates_DATA) + @$(NORMAL_INSTALL) + @list='$(templates_DATA)'; test -n "$(templatesdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \ + done + +uninstall-templatesDATA: + @$(NORMAL_UNINSTALL) + @list='$(templates_DATA)'; test -n "$(templatesdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +all-am: Makefile $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(optionstemplatedir)" "$(DESTDIR)$(pluginstemplatedir)" "$(DESTDIR)$(templatesdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) +clean: clean-am + +clean-am: clean-generic clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-data-local install-man \ + install-optionstemplateDATA install-pluginstemplateDATA \ + install-templatesDATA + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man5 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic \ + maintainer-clean-local + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-optionstemplateDATA \ + uninstall-pluginstemplateDATA uninstall-templatesDATA + +uninstall-man: uninstall-man5 + +.MAKE: all check install install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + clean-local cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-data-local install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 \ + install-optionstemplateDATA install-pdf install-pdf-am \ + install-pluginstemplateDATA install-ps install-ps-am \ + install-strip install-templatesDATA installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic maintainer-clean-local mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags-am uninstall uninstall-am uninstall-man uninstall-man5 \ + uninstall-optionstemplateDATA uninstall-pluginstemplateDATA \ + uninstall-templatesDATA + + +.opt.conf: + $(AM_V_GEN) \ + case "$<" in \ + *plugins/*) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .opt`:" \ + $(srcdir)/default.opt | cat - $< | \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins > $(srcdir)/$@ \ + ;; \ + *) \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins $< > $(srcdir)/$@ \ + ;; \ + esac + +# we need another implicit rule to generate files from the generic template only +# if the rules above did not catch it. this requires an intermediate step that +# generates a copy of the generic config template. +$(plugins_install_tmp): + @mkdir -p $(builddir)/plugins + @cp $(srcdir)/default.conf $(builddir)/$@ + +.tmp.conf: + $(AM_V_GEN) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .tmp`:" \ + $(builddir)/$< > $(builddir)/$@ + +strongswan.conf.5.main: $(alloptions) + $(AM_V_GEN) \ + cd $(srcdir) && $(PYTHON) format-options.py -f man $(alloptions) > $@ + +strongswan.conf.5: strongswan.conf.5.head strongswan.conf.5.main strongswan.conf.5.tail + $(AM_V_GEN) \ + cat strongswan.conf.5.head $(srcdir)/strongswan.conf.5.main strongswan.conf.5.tail > $@ + +clean-local: + rm -f plugins/*.conf plugins/*.tmp + +maintainer-clean-local: + cd $(srcdir) && \ + rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp + +install-data-local: $(plugins_install_src) + test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" + test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" + test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" + test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true + for f in $(options_install_src); do \ + name=`basename $$f`; \ + test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \ + done + for f in $(plugins_install_src); do \ + name=`basename $$f`; \ + if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ + test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \ + done + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/conf/default.conf b/conf/default.conf new file mode 100644 index 000000000..41d2e1f85 --- /dev/null +++ b/conf/default.conf @@ -0,0 +1,8 @@ +@PLUGIN_NAME@ { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/default.opt b/conf/default.opt new file mode 100644 index 000000000..8c833642d --- /dev/null +++ b/conf/default.opt @@ -0,0 +1,3 @@ +charon.plugins.@PLUGIN_NAME@.load := yes + Whether to load the plugin. Can also be an integer to increase the priority + of this plugin. diff --git a/conf/format-options.py b/conf/format-options.py new file mode 100755 index 000000000..04afed6d6 --- /dev/null +++ b/conf/format-options.py @@ -0,0 +1,337 @@ +#!/usr/bin/env python +# +# Copyright (C) 2014 Tobias Brunner +# Hochschule fuer Technik Rapperswil +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +""" +Parses strongswan.conf option descriptions and produces configuration file +and man page snippets. + +The format for description files is as follows: + +full.option.name [[:]= default] + Short description intended as comment in config snippet + + Long description for use in the man page, with + simple formatting: _italic_, **bold** + + Second paragraph of the long description + +The descriptions must be indented by tabs or spaces but are both optional. +If only a short description is given it is used for both intended usages. +Line breaks within a paragraph of the long description or the short description +are not preserved. But multiple paragraphs will be separated in the man page. +Any formatting in the short description is removed when producing config +snippets. + +Options for which a value is assigned with := are not commented out in the +produced configuration file snippet. This allows to override a default value, +that e.g. has to be preserved for legacy reasons, in the generated default +config. + +To describe sections the following format can be used: + +full.section.name {[#]} + Short description of this section + + Long description as above + +If a # is added between the curly braces the section header will be commented +out in the configuration file snippet, which is useful for example sections. +""" + +import sys +import re +from textwrap import TextWrapper +from optparse import OptionParser + +class ConfigOption: + """Representing a configuration option or described section in strongswan.conf""" + def __init__(self, name, default = None, section = False, commented = False): + self.name = name.split('.')[-1] + self.fullname = name + self.default = default + self.section = section + self.commented = commented + self.desc = [] + self.options = [] + + def __cmp__(self, other): + if self.section == other.section: + return cmp(self.name, other.name) + return 1 if self.section else -1 + + def add_paragraph(self): + """Adds a new paragraph to the description""" + if len(self.desc) and len(self.desc[-1]): + self.desc.append("") + + def add(self, line): + """Adds a line to the last paragraph""" + if not len(self.desc): + self.desc.append(line) + elif not len(self.desc[-1]): + self.desc[-1] = line + else: + self.desc[-1] += ' ' + line + + def adopt(self, other): + """Adopts settings from other, which should be more recently parsed""" + self.default = other.default + self.commented = other.commented + self.desc = other.desc + +class Parser: + """Parses one or more files of configuration options""" + def __init__(self): + self.options = [] + + def parse(self, file): + """Parses the given file and adds all options to the internal store""" + self.__current = None + for line in file: + self.__parse_line(line) + if self.__current: + self.__add_option(self.__current) + + def __parse_line(self, line): + """Parses a single line""" + if re.match(r'^\s*#', line): + return + # option definition + m = re.match(r'^(?P\S+)\s*((?P:)?=\s*(?P.+)?)?\s*$', line) + if m: + if self.__current: + self.__add_option(self.__current) + self.__current = ConfigOption(m.group('name'), m.group('default'), + commented = not m.group('assign')) + return + # section definition + m = re.match(r'^(?P\S+)\s*\{\s*(?P#)?\s*\}\s*$', line) + if m: + if self.__current: + self.__add_option(self.__current) + self.__current = ConfigOption(m.group('name'), section = True, + commented = m.group('comment')) + return + # paragraph separator + m = re.match(r'^\s*$', line) + if m and self.__current: + self.__current.add_paragraph() + # description line + m = re.match(r'^\s+(?P.+?)\s*$', line) + if m and self.__current: + self.__current.add(m.group('text')) + + def __add_option(self, option): + """Adds the given option to the abstract storage""" + option.desc = [desc for desc in option.desc if len(desc)] + parts = option.fullname.split('.') + parent = self.__get_option(parts[:-1], True) + if not parent: + parent = self + found = next((x for x in parent.options if x.name == option.name + and x.section == option.section), None) + if found: + found.adopt(option) + else: + parent.options.append(option) + parent.options.sort() + + def __get_option(self, parts, create = False): + """Searches/Creates the option (section) based on a list of section names""" + option = None + options = self.options + fullname = "" + for name in parts: + fullname += '.' + name if len(fullname) else name + option = next((x for x in options if x.name == name and x.section), None) + if not option: + if not create: + break + option = ConfigOption(fullname, section = True) + options.append(option) + options.sort() + options = option.options + return option + + def get_option(self, name): + """Retrieves the option with the given name""" + return self.__get_option(name.split('.')) + +class TagReplacer: + """Replaces formatting tags in text""" + def __init__(self): + self.__matcher_b = self.__create_matcher('**') + self.__matcher_i = self.__create_matcher('_') + self.__replacer = None + + def __create_matcher(self, tag): + tag = re.escape(tag) + return re.compile(r''' + (^|\s|(?P[(\[])) # prefix with optional opening bracket + (?P''' + tag + r''') # start tag + (?P\w|\S.*?\S) # text + ''' + tag + r''' # end tag + (?P([.,!:)\]]|\(\d+\))*) # punctuation + (?=$|\s) # suffix (don't consume it so that subsequent tags can match) + ''', flags = re.DOTALL | re.VERBOSE) + + def _create_replacer(self): + def replacer(m): + punct = m.group('punct') + if not punct: + punct = '' + return '{0}{1}{2}'.format(m.group(1), m.group('text'), punct) + return replacer + + def replace(self, text): + if not self.__replacer: + self.__replacer = self._create_replacer() + text = re.sub(self.__matcher_b, self.__replacer, text) + return re.sub(self.__matcher_i, self.__replacer, text) + +class GroffTagReplacer(TagReplacer): + def _create_replacer(self): + def replacer(m): + nl = '\n' if m.group(1) else '' + format = 'I' if m.group('tag') == '_' else 'B' + brack = m.group('brack') + if not brack: + brack = '' + punct = m.group('punct') + if not punct: + punct = '' + text = re.sub(r'[\r\n\t]', ' ', m.group('text')) + return '{0}.R{1} "{2}" "{3}" "{4}"\n'.format(nl, format, brack, text, punct) + return replacer + +class ConfFormatter: + """Formats options to a strongswan.conf snippet""" + def __init__(self): + self.__indent = ' ' + self.__wrapper = TextWrapper(width = 80, replace_whitespace = True, + break_long_words = False, break_on_hyphens = False) + self.__tags = TagReplacer() + + def __print_description(self, opt, indent): + if len(opt.desc): + self.__wrapper.initial_indent = '{0}# '.format(self.__indent * indent) + self.__wrapper.subsequent_indent = self.__wrapper.initial_indent + print format(self.__wrapper.fill(self.__tags.replace(opt.desc[0]))) + + def __print_option(self, opt, indent, commented): + """Print a single option with description and default value""" + comment = "# " if commented or opt.commented else "" + self.__print_description(opt, indent) + if opt.default: + print '{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default) + else: + print '{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name) + print + + def __print_section(self, section, indent, commented): + """Print a section with all options""" + comment = "# " if commented or section.commented else "" + self.__print_description(section, indent) + print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name) + print + for o in section.options: + if o.section: + self.__print_section(o, indent + 1, section.commented) + else: + self.__print_option(o, indent + 1, section.commented) + print '{0}{1}}}'.format(self.__indent * indent, comment) + print + + def format(self, options): + """Print a list of options""" + if not options: + return + for option in options: + if option.section: + self.__print_section(option, 0, False) + else: + self.__print_option(option, 0, False) + +class ManFormatter: + """Formats a list of options into a groff snippet""" + def __init__(self): + self.__wrapper = TextWrapper(width = 80, replace_whitespace = False, + break_long_words = False, break_on_hyphens = False) + self.__tags = GroffTagReplacer() + + def __groffize(self, text): + """Encode text as groff text""" + text = self.__tags.replace(text) + text = re.sub(r'(? is the full path to the log file. + # { + + # Loglevel for a specific subsystem. + # = + + # If this option is enabled log entries are appended to the existing + # file. + # append = yes + + # Default loglevel. + # default = 1 + + # Enabling this option disables block buffering and enables line + # buffering. + # flush_line = no + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # Prefix each log entry with a timestamp. The option accepts a + # format string as passed to strftime(3). + # time_format = + + # } + + } + + # Section to define syslog loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + syslog { + + # Identifier for use with openlog(3). + # identifier = + + # is one of the supported syslog facilities, see LOGGER + # CONFIGURATION in strongswan.conf(5). + # { + + # Loglevel for a specific subsystem. + # = + + # Default loglevel. + # default = 1 + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # } + + } + +} + diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt new file mode 100644 index 000000000..b437a9cc3 --- /dev/null +++ b/conf/options/charon-logging.opt @@ -0,0 +1,57 @@ +charon.filelog {} + Section to define file loggers, see LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon.filelog. { # } + is the full path to the log file. + +charon.filelog..default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon.filelog.. = + Loglevel for a specific subsystem. + +charon.filelog..append = yes + If this option is enabled log entries are appended to the existing file. + +charon.filelog..flush_line = no + Enabling this option disables block buffering and enables line buffering. + +charon.filelog..ike_name = no + Prefix each log entry with the connection name and a unique numerical + identifier for each IKE_SA. + +charon.filelog..time_format + Prefix each log entry with a timestamp. The option accepts a format string + as passed to **strftime**(3). + +charon.syslog {} + Section to define syslog loggers, see LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon.syslog.identifier + Identifier for use with openlog(3). + + Global identifier used for an **openlog**(3) call, prepended to each log + message by syslog. If not configured, **openlog**(3) is not called, so the + value will depend on system defaults (often the program name). + +charon.syslog. { # } + is one of the supported syslog facilities, see LOGGER + CONFIGURATION in **strongswan.conf**(5). + +charon.syslog..default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon.syslog.. = + Loglevel for a specific subsystem. + +charon.syslog..ike_name = no + Prefix each log entry with the connection name and a unique numerical + identifier for each IKE_SA. diff --git a/conf/options/charon.conf b/conf/options/charon.conf new file mode 100644 index 000000000..5cab2b1c4 --- /dev/null +++ b/conf/options/charon.conf @@ -0,0 +1,281 @@ +# Options for the charon IKE daemon. +charon { + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Maximum size (in bytes) of a sent fragment when using the proprietary + # IKEv1 fragmentation extension. + # fragment_size = 512 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + # install_routes = yes + + # Install virtual IP addresses. + # install_virtual_ip = yes + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS + # resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs. + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Number of iterations to test each algorithm. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/conf/options/charon.opt b/conf/options/charon.opt new file mode 100644 index 000000000..c6f4f1e9e --- /dev/null +++ b/conf/options/charon.opt @@ -0,0 +1,284 @@ +charon {} + Options for the charon IKE daemon. + + Options for the charon IKE daemon. + + **Note**: Many of the options in this section also apply to **charon-cmd** + and other **charon** derivatives. Just use their respective name (e.g. + **charon-cmd** instead of **charon**). For many options defaults can be + defined in the **libstrongswan** section. + +charon.block_threshold = 5 + Maximum number of half-open IKE_SAs for a single peer IP. + +charon.cert_cache = yes + Whether relations in validated certificate chains should be cached in + memory. + +charon.cisco_unity = no + Send Cisco Unity vendor ID payload (IKEv1 only). + +charon.close_ike_on_child_failure = no + Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + +charon.cookie_threshold = 10 + Number of half-open IKE_SAs that activate the cookie mechanism. + +charon.crypto_test.bench = no + Benchmark crypto algorithms and order them by efficiency. + +charon.crypto_test.bench_size = 1024 + Buffer size used for crypto benchmark. + +charon.crypto_test.bench_time = 50 + Number of iterations to test each algorithm. + +charon.crypto_test.on_add = no + Test crypto algorithms during registration (requires test vectors provided + by the _test-vectors_ plugin). + +charon.crypto_test.on_create = no + Test crypto algorithms on each crypto primitive instantiation. + +charon.crypto_test.required = no + Strictly require at least one test vector to enable an algorithm. + +charon.crypto_test.rng_true = no + Whether to test RNG with TRUE quality; requires a lot of entropy. + +charon.dh_exponent_ansi_x9_42 = yes + Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + strength. + +charon.dns1 + DNS server assigned to peer via configuration payload (CP). + +charon.dns2 + DNS server assigned to peer via configuration payload (CP). + +charon.dos_protection = yes + Enable Denial of Service protection using cookies and aggressiveness checks. + +charon.ecp_x_coordinate_only = yes + Compliance with the errata for RFC 4753. + +charon.flush_auth_cfg = no + Free objects during authentication (might conflict with plugins). + + If enabled objects used during authentication (certificates, identities + etc.) are released to free memory once an IKE_SA is established. Enabling + this might conflict with plugins that later need access to e.g. the used + certificates. + +charon.fragment_size = 512 + Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 + fragmentation extension. + +charon.group + Name of the group the daemon changes to after startup. + +charon.half_open_timeout = 30 + Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + +charon.hash_and_url = no + Enable hash and URL support. + +charon.host_resolver.max_threads = 3 + Maximum number of concurrent resolver threads (they are terminated if + unused). + +charon.host_resolver.min_threads = 0 + Minimum number of resolver threads to keep around. + +charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no + Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + + If enabled responders are allowed to use IKEv1 Aggressive Mode with + pre-shared keys, which is discouraged due to security concerns (offline + attacks on the openly transmitted hash of the PSK). + +charon.ignore_routing_tables + A space-separated list of routing tables to be excluded from route lookups. + +charon.ikesa_limit = 0 + Maximum number of IKE_SAs that can be established at the same time before + new connection attempts are blocked. + +charon.ikesa_table_segments = 1 + Number of exclusively locked segments in the hash table. + +charon.ikesa_table_size = 1 + Size of the IKE_SA hash table. + +charon.inactivity_close_ike = no + Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + +charon.init_limit_half_open = 0 + Limit new connections based on the current number of half open IKE_SAs, see + IKE_SA_INIT DROPPING in **strongswan.conf**(5). + +charon.init_limit_job_load = 0 + Limit new connections based on the number of queued jobs. + + Limit new connections based on the number of jobs currently queued for + processing (see IKE_SA_INIT DROPPING). + +charon.initiator_only = no + Causes charon daemon to ignore IKE initiation requests. + +charon.install_routes = yes + Install routes into a separate routing table for established IPsec tunnels. + +charon.install_virtual_ip = yes + Install virtual IP addresses. + +charon.install_virtual_ip_on + The name of the interface on which virtual IP addresses should be installed. + + The name of the interface on which virtual IP addresses should be installed. + If not specified the addresses will be installed on the outbound interface. + +charon.integrity_test = no + Check daemon, libstrongswan and plugin integrity at startup. + +charon.interfaces_ignore + A comma-separated list of network interfaces that should be ignored, if + **interfaces_use** is specified this option has no effect. + +charon.interfaces_use + A comma-separated list of network interfaces that should be used by charon. + All other interfaces are ignored. + +charon.keep_alive = 20s + NAT keep alive interval. + +charon.leak_detective.detailed = yes + Includes source file names and line numbers in leak detective output. + +charon.leak_detective.usage_threshold = 10240 + Threshold in bytes for leaks to be reported (0 to report all). + +charon.leak_detective.usage_threshold_count = 0 + Threshold in number of allocations for leaks to be reported (0 to report + all). + +charon.load + Plugins to load in the IKE daemon charon. + +charon.load_modular = no + Determine plugins to load via each plugin's load option. + + If enabled, the list of plugins to load is determined via the value of the + _charon.plugins..load_ options. In addition to a simple boolean flag + that option may take an integer value indicating the priority of a plugin, + which would influence the order of a plugin in the plugin list (the default + is 1). If two plugins have the same priority their order in the default + plugin list is preserved. Enabled plugins not found in that list are ordered + alphabetically before other plugins with the same priority. + +charon.max_packet = 10000 + Maximum packet size accepted by charon. + +charon.multiple_authentication = yes + Enable multiple authentication exchanges (RFC 4739). + +charon.nbns1 + WINS servers assigned to peer via configuration payload (CP). + +charon.nbns2 + WINS servers assigned to peer via configuration payload (CP). + +charon.port = 500 + UDP port used locally. If set to 0 a random port will be allocated. + +charon.port_nat_t = 4500 + UDP port used locally in case of NAT-T. If set to 0 a random port will be + allocated. Has to be different from **charon.port**, otherwise a random + port will be allocated. + +charon.process_route = yes + Process RTM_NEWROUTE and RTM_DELROUTE events. + +charon.processor.priority_threads {} + Section to configure the number of reserved threads per priority class + see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5). + +charon.receive_delay = 0 + Delay in ms for receiving packets, to simulate larger RTT. + +charon.receive_delay_response = yes + Delay response messages. + +charon.receive_delay_request = yes + Delay request messages. + +charon.receive_delay_type = 0 + Specific IKEv2 message type to delay, 0 for any. + +charon.replay_window = 32 + Size of the AH/ESP replay window, in packets. + +charon.retransmit_base = 1.8 + Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + in **strongswan.conf**(5). + +charon.retransmit_timeout = 4.0 + Timeout in seconds before sending first retransmit. + +charon.retransmit_tries = 5 + Number of times to retransmit a packet before giving up. + +charon.retry_initiate_interval = 0 + Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution + failed), 0 to disable retries. + +charon.reuse_ikesa = yes + Initiate CHILD_SA within existing IKE_SAs. + +charon.routing_table + Numerical routing table to install routes to. + +charon.routing_table_prio + Priority of the routing table. + +charon.send_delay = 0 + Delay in ms for sending packets, to simulate larger RTT. + +charon.send_delay_response = yes + Delay response messages. + +charon.send_delay_request = yes + Delay request messages. + +charon.send_delay_type = 0 + Specific IKEv2 message type to delay, 0 for any. + +charon.send_vendor_id = no + Send strongSwan vendor ID payload + +charon.threads = 16 + Number of worker threads in charon. + + Number of worker threads in charon. Several of these are reserved for long + running tasks in internal modules and plugins. Therefore, make sure you + don't set this value too low. The number of idle worker threads listed in + _ipsec statusall_ might be used as indicator on the number of reserved + threads. + +charon.tls.cipher + List of TLS encryption ciphers. + +charon.tls.key_exchange + List of TLS key exchange methods. + +charon.tls.mac + List of TLS MAC algorithms. + +charon.tls.suites + List of TLS cipher suites. + +charon.user + Name of the user the daemon changes to after startup. + +charon.x509.enforce_critical = yes + Discard certificates with unsupported or unknown critical extensions. diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf new file mode 100644 index 000000000..92016ef52 --- /dev/null +++ b/conf/options/imcv.conf @@ -0,0 +1,43 @@ +charon { + + # Defaults for options in this section can be configured in the libimcv + # section. + imcv { + + # Whether IMVs send a standard IETF Assessment Result attribute. + # assessment_result = yes + + # Global IMV policy database URI. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Script called for each TNC connection to generate IMV policies. + # policy_script = ipsec _imv_policy + + os_info { + + # Manually set the name of the client OS (e.g. Ubuntu). + # name = + + # Manually set the version of the client OS (e.g. 12.04 i686). + # version = + + } + + } + +} + +libimcv { + + # Debug level for a stand-alone libimcv library. + # debug_level = 1 + + # Plugins to load in IMC/IMVs with stand-alone libimcv library. + # load = random nonce gmp pubkey x509 + + # Disable output to stderr with a stand-alone libimcv library. + # stderr_quiet = no + +} + diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt new file mode 100644 index 000000000..a249a7b14 --- /dev/null +++ b/conf/options/imcv.opt @@ -0,0 +1,28 @@ +charon.imcv {} + Defaults for options in this section can be configured in the _libimcv_ + section. + +charon.imcv.assessment_result = yes + Whether IMVs send a standard IETF Assessment Result attribute. + +charon.imcv.database = + Global IMV policy database URI. If it contains a password, make sure to + adjust the permissions of the config file accordingly. + +charon.imcv.os_info.name = + Manually set the name of the client OS (e.g. Ubuntu). + +charon.imcv.os_info.version = + Manually set the version of the client OS (e.g. 12.04 i686). + +charon.imcv.policy_script = ipsec _imv_policy + Script called for each TNC connection to generate IMV policies. + +libimcv.debug_level = 1 + Debug level for a stand-alone _libimcv_ library. + +libimcv.load = random nonce gmp pubkey x509 + Plugins to load in IMC/IMVs with stand-alone _libimcv_ library. + +libimcv.stderr_quiet = no + Disable output to stderr with a stand-alone _libimcv_ library. diff --git a/conf/options/manager.conf b/conf/options/manager.conf new file mode 100644 index 000000000..bb0934688 --- /dev/null +++ b/conf/options/manager.conf @@ -0,0 +1,23 @@ +manager { + + # Credential database URI for manager. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Enable debugging in manager. + # debug = no + + # Plugins to load in manager. + # load = + + # FastCGI socket of manager, to run it statically. + # socket = + + # Threads to use for request handling. + # threads = 10 + + # Session timeout for manager. + # timeout = 15m + +} + diff --git a/conf/options/manager.opt b/conf/options/manager.opt new file mode 100644 index 000000000..dbac73110 --- /dev/null +++ b/conf/options/manager.opt @@ -0,0 +1,18 @@ +manager.database = + Credential database URI for manager. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +manager.debug = no + Enable debugging in manager. + +manager.load = + Plugins to load in manager. + +manager.socket = + FastCGI socket of manager, to run it statically. + +manager.threads = 10 + Threads to use for request handling. + +manager.timeout = 15m + Session timeout for manager. diff --git a/conf/options/medsrv.conf b/conf/options/medsrv.conf new file mode 100644 index 000000000..b3026ea3f --- /dev/null +++ b/conf/options/medsrv.conf @@ -0,0 +1,32 @@ +medsrv { + + # Mediation server database URI. If it contains a password, make sure to + # adjust the permissions of the config file accordingly. + # database = + + # Debugging in mediation server web application. + # debug = no + + # DPD timeout to use in mediation server plugin. + # dpd = 5m + + # Plugins to load in mediation server plugin. + # load = + + # Minimum password length required for mediation server user accounts. + # password_length = 6 + + # Rekeying time on mediation connections in mediation server plugin. + # rekey = 20m + + # Run Mediation server web application statically on socket. + # socket = + + # Number of thread for mediation service web application. + # threads = 5 + + # Session timeout for mediation service. + # timeout = 15m + +} + diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt new file mode 100644 index 000000000..f673b7e03 --- /dev/null +++ b/conf/options/medsrv.opt @@ -0,0 +1,27 @@ +medsrv.database = + Mediation server database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +medsrv.debug = no + Debugging in mediation server web application. + +medsrv.dpd = 5m + DPD timeout to use in mediation server plugin. + +medsrv.load = + Plugins to load in mediation server plugin. + +medsrv.password_length = 6 + Minimum password length required for mediation server user accounts. + +medsrv.rekey = 20m + Rekeying time on mediation connections in mediation server plugin. + +medsrv.socket = + Run Mediation server web application statically on socket. + +medsrv.threads = 5 + Number of thread for mediation service web application. + +medsrv.timeout = 15m + Session timeout for mediation service. diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf new file mode 100644 index 000000000..730e5435c --- /dev/null +++ b/conf/options/pacman.conf @@ -0,0 +1,12 @@ +pacman { + + # Database URI for the database that stores the package information. If it + # contains a password, make sure to adjust the permissions of the config + # file accordingly. + # database = + + # Plugins to load in package manager. + # load = + +} + diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt new file mode 100644 index 000000000..dfb4ba2b1 --- /dev/null +++ b/conf/options/pacman.opt @@ -0,0 +1,7 @@ +pacman.database = + Database URI for the database that stores the package information. If it + contains a password, make sure to adjust the permissions of the config file + accordingly. + +pacman.load = + Plugins to load in package manager. diff --git a/conf/options/pool.conf b/conf/options/pool.conf new file mode 100644 index 000000000..297c0f8cf --- /dev/null +++ b/conf/options/pool.conf @@ -0,0 +1,12 @@ +pool { + + # Database URI for the database that stores IP pools and configuration + # attributes. If it contains a password, make sure to adjust the + # permissions of the config file accordingly. + # database = + + # Plugins to load in ipsec pool tool. + # load = + +} + diff --git a/conf/options/pool.opt b/conf/options/pool.opt new file mode 100644 index 000000000..79458c779 --- /dev/null +++ b/conf/options/pool.opt @@ -0,0 +1,7 @@ +pool.database + Database URI for the database that stores IP pools and configuration + attributes. If it contains a password, make sure to adjust the permissions + of the config file accordingly. + +pool.load = + Plugins to load in ipsec pool tool. diff --git a/conf/options/starter.conf b/conf/options/starter.conf new file mode 100644 index 000000000..8465f7e53 --- /dev/null +++ b/conf/options/starter.conf @@ -0,0 +1,10 @@ +starter { + + # Plugins to load in starter. + # load = + + # Disable charon plugin load option warning. + # load_warning = yes + +} + diff --git a/conf/options/starter.opt b/conf/options/starter.opt new file mode 100644 index 000000000..4e6574d58 --- /dev/null +++ b/conf/options/starter.opt @@ -0,0 +1,5 @@ +starter.load = + Plugins to load in starter. + +starter.load_warning = yes + Disable charon plugin load option warning. diff --git a/conf/options/tnc.conf b/conf/options/tnc.conf new file mode 100644 index 000000000..6736a2d0a --- /dev/null +++ b/conf/options/tnc.conf @@ -0,0 +1,11 @@ +charon { + + tnc { + + # TNC IMC/IMV configuration file. + # tnc_config = /etc/tnc_config + + } + +} + diff --git a/conf/options/tnc.opt b/conf/options/tnc.opt new file mode 100644 index 000000000..467723ea6 --- /dev/null +++ b/conf/options/tnc.opt @@ -0,0 +1,2 @@ +charon.tnc.tnc_config = /etc/tnc_config + TNC IMC/IMV configuration file. diff --git a/conf/options/tools.conf b/conf/options/tools.conf new file mode 100644 index 000000000..a3ab099ed --- /dev/null +++ b/conf/options/tools.conf @@ -0,0 +1,21 @@ +openac { + + # Plugins to load in ipsec openac tool. + # load = + +} + +pki { + + # Plugins to load in ipsec pki tool. + # load = + +} + +scepclient { + + # Plugins to load in ipsec scepclient tool. + # load = + +} + diff --git a/conf/options/tools.opt b/conf/options/tools.opt new file mode 100644 index 000000000..23e6a1c9f --- /dev/null +++ b/conf/options/tools.opt @@ -0,0 +1,8 @@ +openac.load = + Plugins to load in ipsec openac tool. + +pki.load = + Plugins to load in ipsec pki tool. + +scepclient.load = + Plugins to load in ipsec scepclient tool. diff --git a/conf/plugins/android_log.conf b/conf/plugins/android_log.conf new file mode 100644 index 000000000..4d87eed85 --- /dev/null +++ b/conf/plugins/android_log.conf @@ -0,0 +1,11 @@ +android_log { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Loglevel for logging to Android specific logger. + # loglevel = 1 + +} + diff --git a/conf/plugins/android_log.opt b/conf/plugins/android_log.opt new file mode 100644 index 000000000..801b8bf19 --- /dev/null +++ b/conf/plugins/android_log.opt @@ -0,0 +1,2 @@ +charon.plugins.android_log.loglevel = 1 + Loglevel for logging to Android specific logger. diff --git a/conf/plugins/attr-sql.conf b/conf/plugins/attr-sql.conf new file mode 100644 index 000000000..24d4e809d --- /dev/null +++ b/conf/plugins/attr-sql.conf @@ -0,0 +1,16 @@ +attr-sql { + + # Database URI for attr-sql plugin used by charon. If it contains a + # password, make sure to adjust the permissions of the config file + # accordingly. + # database = + + # Enable logging of SQL IP pool leases. + # lease_history = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt new file mode 100644 index 000000000..abd749e3e --- /dev/null +++ b/conf/plugins/attr-sql.opt @@ -0,0 +1,6 @@ +charon.plugins.attr-sql.database + Database URI for attr-sql plugin used by charon. If it contains a password, + make sure to adjust the permissions of the config file accordingly. + +charon.plugins.attr-sql.lease_history = yes + Enable logging of SQL IP pool leases. diff --git a/conf/plugins/attr.conf b/conf/plugins/attr.conf new file mode 100644 index 000000000..7a3645b79 --- /dev/null +++ b/conf/plugins/attr.conf @@ -0,0 +1,14 @@ +# Section to specify arbitrary attributes that are assigned to a peer via +# configuration payload (CP). +attr { + + # is an attribute name or an integer, values can be an IP address, + # subnet or arbitrary value. + # = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/attr.opt b/conf/plugins/attr.opt new file mode 100644 index 000000000..f3c187c7b --- /dev/null +++ b/conf/plugins/attr.opt @@ -0,0 +1,14 @@ +charon.plugins.attr {} + Section to specify arbitrary attributes that are assigned to a peer via + configuration payload (CP). + +charon.plugins.attr. + is an attribute name or an integer, values can be an IP address, + subnet or arbitrary value. + + **** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_, + _subnet_, _split-include_, _split-exclude_ or the numeric identifier of the + attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in + CIDR notation or an arbitrary value depending on the attribute type. For + some attribute types multiple values may be specified as a comma separated + list. diff --git a/conf/plugins/certexpire.conf b/conf/plugins/certexpire.conf new file mode 100644 index 000000000..543848c15 --- /dev/null +++ b/conf/plugins/certexpire.conf @@ -0,0 +1,38 @@ +certexpire { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + csv { + + # Cron style string specifying CSV export times. + # cron = + + # String to use in empty intermediate CA fields. + # empty_string = + + # Use a fixed intermediate CA field count. + # fixed_fields = yes + + # Force export of all trustchains we have a private key for. + # force = yes + + # strftime(3) format string to export expiration dates as. + # format = %d:%m:%Y + + # strftime(3) format string for the CSV file name to export local + # certificates to. + # local = + + # strftime(3) format string for the CSV file name to export remote + # certificates to. + # remote = + + # CSV field separator. + # separator = , + + } + +} + diff --git a/conf/plugins/certexpire.opt b/conf/plugins/certexpire.opt new file mode 100644 index 000000000..7c165383a --- /dev/null +++ b/conf/plugins/certexpire.opt @@ -0,0 +1,25 @@ +charon.plugins.certexpire.csv.cron + Cron style string specifying CSV export times. + +charon.plugins.certexpire.csv.empty_string = + String to use in empty intermediate CA fields. + +charon.plugins.certexpire.csv.fixed_fields = yes + Use a fixed intermediate CA field count. + +charon.plugins.certexpire.csv.force = yes + Force export of all trustchains we have a private key for. + +charon.plugins.certexpire.csv.format = %d:%m:%Y + **strftime**(3) format string to export expiration dates as. + +charon.plugins.certexpire.csv.local + **strftime**(3) format string for the CSV file name to export local + certificates to. + +charon.plugins.certexpire.csv.remote + **strftime**(3) format string for the CSV file name to export remote + certificates to. + +charon.plugins.certexpire.csv.separator = , + CSV field separator. diff --git a/conf/plugins/coupling.conf b/conf/plugins/coupling.conf new file mode 100644 index 000000000..a5c3d7868 --- /dev/null +++ b/conf/plugins/coupling.conf @@ -0,0 +1,17 @@ +coupling { + + # File to store coupling list to. + # file = + + # Hashing algorithm to fingerprint coupled certificates. + # hash = sha1 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of coupling entries to create. + # max = 1 + +} + diff --git a/conf/plugins/coupling.opt b/conf/plugins/coupling.opt new file mode 100644 index 000000000..179579d47 --- /dev/null +++ b/conf/plugins/coupling.opt @@ -0,0 +1,8 @@ +charon.plugins.coupling.file + File to store coupling list to. + +charon.plugins.coupling.hash = sha1 + Hashing algorithm to fingerprint coupled certificates. + +charon.plugins.coupling.max = 1 + Maximum number of coupling entries to create. diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf new file mode 100644 index 000000000..b0e8c84c8 --- /dev/null +++ b/conf/plugins/dhcp.conf @@ -0,0 +1,20 @@ +dhcp { + + # Always use the configured server address. + # force_server_address = no + + # Derive user-defined MAC address from hash of IKE identity. + # identity_lease = no + + # Interface name the plugin uses for address allocation. + # interface = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DHCP server unicast or broadcast IP address. + # server = 255.255.255.255 + +} + diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt new file mode 100644 index 000000000..9c7b86091 --- /dev/null +++ b/conf/plugins/dhcp.opt @@ -0,0 +1,22 @@ +charon.plugins.dhcp.force_server_address = no + Always use the configured server address. + + Always use the configured server address. This might be helpful if the DHCP + server runs on the same host as strongSwan, and the DHCP daemon does not + listen on the loopback interface. In that case the server cannot be reached + via unicast (or even 255.255.255.255) as that would be routed via loopback. + Setting this option to yes and configuring the local broadcast address (e.g. + 192.168.0.255) as server address might work. + +charon.plugins.dhcp.identity_lease = no + Derive user-defined MAC address from hash of IKE identity. + +charon.plugins.dhcp.server = 255.255.255.255 + DHCP server unicast or broadcast IP address. + +charon.plugins.dhcp.interface + Interface name the plugin uses for address allocation. + + Interface name the plugin uses for address allocation. The default is to + bind to any (0.0.0.0) and let the system decide which way to route the + packets to the DHCP server. diff --git a/conf/plugins/dnscert.conf b/conf/plugins/dnscert.conf new file mode 100644 index 000000000..c29b6ed43 --- /dev/null +++ b/conf/plugins/dnscert.conf @@ -0,0 +1,11 @@ +dnscert { + + # Enable fetching of CERT RRs via DNS. + # enable = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/dnscert.opt b/conf/plugins/dnscert.opt new file mode 100644 index 000000000..fd5a8d819 --- /dev/null +++ b/conf/plugins/dnscert.opt @@ -0,0 +1,2 @@ +charon.plugins.dnscert.enable = no + Enable fetching of CERT RRs via DNS. diff --git a/conf/plugins/duplicheck.conf b/conf/plugins/duplicheck.conf new file mode 100644 index 000000000..212fe404d --- /dev/null +++ b/conf/plugins/duplicheck.conf @@ -0,0 +1,14 @@ +duplicheck { + + # Enable duplicheck plugin (if loaded). + # enable = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the duplicheck plugin. + # socket = unix://${piddir}/charon.dck + +} + diff --git a/conf/plugins/duplicheck.opt b/conf/plugins/duplicheck.opt new file mode 100644 index 000000000..ff54fe3a8 --- /dev/null +++ b/conf/plugins/duplicheck.opt @@ -0,0 +1,5 @@ +charon.plugins.duplicheck.enable = yes + Enable duplicheck plugin (if loaded). + +charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck + Socket provided by the duplicheck plugin. diff --git a/conf/plugins/eap-aka-3ggp2.conf b/conf/plugins/eap-aka-3ggp2.conf new file mode 100644 index 000000000..c52c99609 --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.conf @@ -0,0 +1,10 @@ +eap-aka-3ggp2 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # seq_check = + +} + diff --git a/conf/plugins/eap-aka-3ggp2.opt b/conf/plugins/eap-aka-3ggp2.opt new file mode 100644 index 000000000..9e2a42b3f --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka-3ggp2.seq_check = diff --git a/conf/plugins/eap-aka.conf b/conf/plugins/eap-aka.conf new file mode 100644 index 000000000..278f1d677 --- /dev/null +++ b/conf/plugins/eap-aka.conf @@ -0,0 +1,10 @@ +eap-aka { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # request_identity = yes + +} + diff --git a/conf/plugins/eap-aka.opt b/conf/plugins/eap-aka.opt new file mode 100644 index 000000000..e8d166db9 --- /dev/null +++ b/conf/plugins/eap-aka.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka.request_identity = yes diff --git a/conf/plugins/eap-dynamic.conf b/conf/plugins/eap-dynamic.conf new file mode 100644 index 000000000..7b738b1b2 --- /dev/null +++ b/conf/plugins/eap-dynamic.conf @@ -0,0 +1,14 @@ +eap-dynamic { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Prefer peer's proposed EAP methods. + # prefer_user = no + + # The preferred EAP method(s) to be used. + # preferred = + +} + diff --git a/conf/plugins/eap-dynamic.opt b/conf/plugins/eap-dynamic.opt new file mode 100644 index 000000000..2d50a0aab --- /dev/null +++ b/conf/plugins/eap-dynamic.opt @@ -0,0 +1,13 @@ +charon.plugins.eap-dynamic.preferred = + The preferred EAP method(s) to be used. + + The preferred EAP method(s) to be used. If it is not given the first + registered method will be used initially. If a comma separated list is + given the methods are tried in the given order before trying the rest of + the registered methods. + +charon.plugins.eap-dynamic.prefer_user = no + Prefer peer's proposed EAP methods. + + If enabled the EAP methods proposed in an EAP-Nak message sent by the peer + are preferred over the methods registered locally. diff --git a/conf/plugins/eap-gtc.conf b/conf/plugins/eap-gtc.conf new file mode 100644 index 000000000..4760f3fc8 --- /dev/null +++ b/conf/plugins/eap-gtc.conf @@ -0,0 +1,11 @@ +eap-gtc { + + # XAuth backend to be used for credential verification. + # backend = pam + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/eap-gtc.opt b/conf/plugins/eap-gtc.opt new file mode 100644 index 000000000..3fe8b7d68 --- /dev/null +++ b/conf/plugins/eap-gtc.opt @@ -0,0 +1,2 @@ +charon.plugins.eap-gtc.backend = pam + XAuth backend to be used for credential verification. diff --git a/conf/plugins/eap-peap.conf b/conf/plugins/eap-peap.conf new file mode 100644 index 000000000..600e16426 --- /dev/null +++ b/conf/plugins/eap-peap.conf @@ -0,0 +1,30 @@ +eap-peap { + + # Maximum size of an EAP-PEAP packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-PEAP packets. + # include_length = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-PEAP packets (0 = no limit). + # max_message_count = 32 + + # Phase2 EAP client authentication method. + # phase2_method = mschapv2 + + # Phase2 EAP Identity request piggybacked by server onto TLS Finished + # message. + # phase2_piggyback = no + + # Start phase2 EAP TNC protocol after successful client authentication. + # phase2_tnc = no + + # Request peer authentication based on a client certificate. + # request_peer_auth = no + +} + diff --git a/conf/plugins/eap-peap.opt b/conf/plugins/eap-peap.opt new file mode 100644 index 000000000..6fe88606d --- /dev/null +++ b/conf/plugins/eap-peap.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-peap.fragment_size = 1024 + Maximum size of an EAP-PEAP packet. + +charon.plugins.eap-peap.max_message_count = 32 + Maximum number of processed EAP-PEAP packets (0 = no limit). + +charon.plugins.eap-peap.include_length = no + Include length in non-fragmented EAP-PEAP packets. + +charon.plugins.eap-peap.phase2_method = mschapv2 + Phase2 EAP client authentication method. + +charon.plugins.eap-peap.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-peap.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-peap.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf new file mode 100644 index 000000000..53023b81e --- /dev/null +++ b/conf/plugins/eap-radius.conf @@ -0,0 +1,86 @@ +eap-radius { + + # Send RADIUS accounting information to RADIUS servers. + # accounting = no + + # If enabled, accounting is disabled unless an IKE_SA has at least one + # virtual IP. + # accounting_requires_vip = no + + # Use class attributes in RADIUS-Accept messages as group membership + # information. + # class_group = no + + # Closes all IKE_SAs if communication with the RADIUS server times out. If + # it is not set only the current IKE_SA is closed. + # close_all_on_timeout = no + + # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + # eap_start = no + + # Use filter_id attribute as group membership information. + # filter_id = no + + # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + # EAP method. + # id_prefix = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # NAS-Identifier to include in RADIUS messages. + # nas_identifier = strongSwan + + # Port of RADIUS server (authentication). + # port = 1812 + + # Shared secret between RADIUS and NAS. If set, make sure to adjust the + # permissions of the config file accordingly. + # secret = + + # IP/Hostname of RADIUS server. + # server = + + # Number of sockets (ports) to use, increase for high load. + # sockets = 1 + + dae { + + # Enables support for the Dynamic Authorization Extension (RFC 5176). + # enable = no + + # Address to listen for DAE messages from the RADIUS server. + # listen = 0.0.0.0 + + # Port to listen for DAE requests. + # port = 3799 + + # Shared secret used to verify/sign DAE messages. If set, make sure to + # adjust the permissions of the config file accordingly. + # secret = + + } + + forward { + + # RADIUS attributes to be forwarded from IKEv2 to RADIUS. + # ike_to_radius = + + # Same as ike_to_radius but from RADIUS to IKEv2. + # radius_to_ike = + + } + + # Section to specify multiple RADIUS servers. + servers { + + } + + # Section to configure multiple XAuth authentication rounds via RADIUS. + xauth { + + } + +} + diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt new file mode 100644 index 000000000..0edd3458c --- /dev/null +++ b/conf/plugins/eap-radius.opt @@ -0,0 +1,105 @@ +charon.plugins.eap-radius.accounting = no + Send RADIUS accounting information to RADIUS servers. + +charon.plugins.eap-radius.accounting_requires_vip = no + If enabled, accounting is disabled unless an IKE_SA has at least one + virtual IP. + +charon.plugins.eap-radius.class_group = no + Use class attributes in RADIUS-Accept messages as group membership + information. + + Use the _class_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.close_all_on_timeout = no + Closes all IKE_SAs if communication with the RADIUS server times out. If it + is not set only the current IKE_SA is closed. + +charon.plugins.eap-radius.dae.enable = no + Enables support for the Dynamic Authorization Extension (RFC 5176). + +charon.plugins.eap-radius.dae.listen = 0.0.0.0 + Address to listen for DAE messages from the RADIUS server. + +charon.plugins.eap-radius.dae.port = 3799 + Port to listen for DAE requests. + +charon.plugins.eap-radius.dae.secret + Shared secret used to verify/sign DAE messages. If set, make sure to adjust + the permissions of the config file accordingly. + +charon.plugins.eap-radius.eap_start = no + Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + +charon.plugins.eap-radius.filter_id = no + Use filter_id attribute as group membership information. + + If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use + the _filter_id_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.forward.ike_to_radius + RADIUS attributes to be forwarded from IKEv2 to RADIUS. + + RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by + name or attribute number, a colon can be used to specify vendor-specific + attributes, e.g. Reply-Message, or 11, or 36906:12). + +charon.plugins.eap-radius.forward.radius_to_ike = + Same as ike_to_radius but from RADIUS to IKEv2. + + Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to + IKEv2, a strongSwan specific private notify (40969) is used to transmit the + attributes. + +charon.plugins.eap-radius.id_prefix + Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + EAP method. + +charon.plugins.eap-radius.nas_identifier = strongSwan + NAS-Identifier to include in RADIUS messages. + +charon.plugins.eap-radius.port = 1812 + Port of RADIUS server (authentication). + +charon.plugins.eap-radius.secret = + Shared secret between RADIUS and NAS. If set, make sure to adjust the + permissions of the config file accordingly. + +charon.plugins.eap-radius.server = + IP/Hostname of RADIUS server. + +charon.plugins.eap-radius.servers {} + Section to specify multiple RADIUS servers. + + Section to specify multiple RADIUS servers. The **nas_identifier**, + **secret**, **sockets** and **port** (or **auth_port**) options can be + specified for each server. A server's IP/Hostname can be configured using + the **address** option. The **acct_port** [1813] option can be used to + specify the port used for RADIUS accounting. For each RADIUS server a + priority can be specified using the **preference** [0] option. + +charon.plugins.eap-radius.sockets = 1 + Number of sockets (ports) to use, increase for high load. + +charon.plugins.eap-radius.xauth {} + Section to configure multiple XAuth authentication rounds via RADIUS. + + Section to configure multiple XAuth authentication rounds via RADIUS. + The subsections define so called authentication profiles with arbitrary + names. In each profile section one or more XAuth types can be configured, + with an assigned message. For each type a separate XAuth exchange will be + initiated and all replies get concatenated into the User-Password attribute, + which then gets verified over RADIUS. + + Available XAuth types are **password**, **passcode**, **nextpin**, and + **answer**. This type is not relevant to strongSwan or the AAA server, but + the client may show a different dialog (along with the configured message). + + To use the configured profiles, they have to be configured in the respective + connection in **ipsec.conf**(5) by appending the profile name, separated by + a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_ + or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_. diff --git a/conf/plugins/eap-sim.conf b/conf/plugins/eap-sim.conf new file mode 100644 index 000000000..96ec2e02c --- /dev/null +++ b/conf/plugins/eap-sim.conf @@ -0,0 +1,10 @@ +eap-sim { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # request_identity = yes + +} + diff --git a/conf/plugins/eap-sim.opt b/conf/plugins/eap-sim.opt new file mode 100644 index 000000000..052454c0e --- /dev/null +++ b/conf/plugins/eap-sim.opt @@ -0,0 +1 @@ +charon.plugins.eap-sim.request_identity = yes diff --git a/conf/plugins/eap-simaka-sql.conf b/conf/plugins/eap-simaka-sql.conf new file mode 100644 index 000000000..1574a5a85 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.conf @@ -0,0 +1,12 @@ +eap-simaka-sql { + + # database = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # remove_used = no + +} + diff --git a/conf/plugins/eap-simaka-sql.opt b/conf/plugins/eap-simaka-sql.opt new file mode 100644 index 000000000..6b87a7e94 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.opt @@ -0,0 +1,3 @@ +charon.plugins.eap-simaka-sql.database = + +charon.plugins.eap-simaka-sql.remove_used = no diff --git a/conf/plugins/eap-tls.conf b/conf/plugins/eap-tls.conf new file mode 100644 index 000000000..e3ce7ded7 --- /dev/null +++ b/conf/plugins/eap-tls.conf @@ -0,0 +1,17 @@ +eap-tls { + + # Maximum size of an EAP-TLS packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-TLS packets. + # include_length = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TLS packets (0 = no limit). + # max_message_count = 32 + +} + diff --git a/conf/plugins/eap-tls.opt b/conf/plugins/eap-tls.opt new file mode 100644 index 000000000..e7b96523a --- /dev/null +++ b/conf/plugins/eap-tls.opt @@ -0,0 +1,8 @@ +charon.plugins.eap-tls.fragment_size = 1024 + Maximum size of an EAP-TLS packet. + +charon.plugins.eap-tls.max_message_count = 32 + Maximum number of processed EAP-TLS packets (0 = no limit). + +charon.plugins.eap-tls.include_length = yes + Include length in non-fragmented EAP-TLS packets. diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf new file mode 100644 index 000000000..aca72f1ed --- /dev/null +++ b/conf/plugins/eap-tnc.conf @@ -0,0 +1,15 @@ +eap-tnc { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TNC packets (0 = no limit). + # max_message_count = 10 + + # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, + # tnccs-dynamic). + # protocol = tnccs-1.1 + +} + diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt new file mode 100644 index 000000000..8e060ceda --- /dev/null +++ b/conf/plugins/eap-tnc.opt @@ -0,0 +1,6 @@ +charon.plugins.eap-tnc.max_message_count = 10 + Maximum number of processed EAP-TNC packets (0 = no limit). + +charon.plugins.eap-tnc.protocol = tnccs-1.1 + IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_, + _tnccs-dynamic_). diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf new file mode 100644 index 000000000..5229625e0 --- /dev/null +++ b/conf/plugins/eap-ttls.conf @@ -0,0 +1,30 @@ +eap-ttls { + + # Maximum size of an EAP-TTLS packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-TTLS packets. + # include_length = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TTLS packets (0 = no limit). + # max_message_count = 32 + + # Phase2 EAP client authentication method. + # phase2_method = md5 + + # Phase2 EAP Identity request piggybacked by server onto TLS Finished + # message. + # phase2_piggyback = no + + # Start phase2 EAP TNC protocol after successful client authentication. + # phase2_tnc = no + + # Request peer authentication based on a client certificate. + # request_peer_auth = no + +} + diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt new file mode 100644 index 000000000..21a6cb674 --- /dev/null +++ b/conf/plugins/eap-ttls.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-ttls.fragment_size = 1024 + Maximum size of an EAP-TTLS packet. + +charon.plugins.eap-ttls.max_message_count = 32 + Maximum number of processed EAP-TTLS packets (0 = no limit). + +charon.plugins.eap-ttls.include_length = yes + Include length in non-fragmented EAP-TTLS packets. + +charon.plugins.eap-ttls.phase2_method = md5 + Phase2 EAP client authentication method. + +charon.plugins.eap-ttls.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-ttls.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-ttls.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/error-notify.conf b/conf/plugins/error-notify.conf new file mode 100644 index 000000000..5915a0971 --- /dev/null +++ b/conf/plugins/error-notify.conf @@ -0,0 +1,11 @@ +error-notify { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the error-notify plugin. + # socket = unix://${piddir}/charon.enfy + +} + diff --git a/conf/plugins/error-notify.opt b/conf/plugins/error-notify.opt new file mode 100644 index 000000000..44ea0551e --- /dev/null +++ b/conf/plugins/error-notify.opt @@ -0,0 +1,2 @@ +charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy + Socket provided by the error-notify plugin. diff --git a/conf/plugins/gcrypt.conf b/conf/plugins/gcrypt.conf new file mode 100644 index 000000000..fce2c7a6e --- /dev/null +++ b/conf/plugins/gcrypt.conf @@ -0,0 +1,11 @@ +gcrypt { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Use faster random numbers in gcrypt; for testing only, produces weak keys! + # quick_random = no + +} + diff --git a/conf/plugins/gcrypt.opt b/conf/plugins/gcrypt.opt new file mode 100644 index 000000000..c6b0505d7 --- /dev/null +++ b/conf/plugins/gcrypt.opt @@ -0,0 +1,2 @@ +charon.plugins.gcrypt.quick_random = no + Use faster random numbers in gcrypt; for testing only, produces weak keys! diff --git a/conf/plugins/ha.conf b/conf/plugins/ha.conf new file mode 100644 index 000000000..e8b2fa48d --- /dev/null +++ b/conf/plugins/ha.conf @@ -0,0 +1,32 @@ +ha { + + # Interval in seconds to automatically balance handled segments between + # nodes. Set to 0 to disable. + # autobalance = 0 + + # fifo_interface = yes + + # heartbeat_delay = 1000 + + # heartbeat_timeout = 2100 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # local = + + # monitor = yes + + # pools = + + # remote = + + # resync = yes + + # secret = + + # segment_count = 1 + +} + diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt new file mode 100644 index 000000000..77d5b7888 --- /dev/null +++ b/conf/plugins/ha.opt @@ -0,0 +1,23 @@ +charon.plugins.ha.autobalance = 0 + Interval in seconds to automatically balance handled segments between nodes. + Set to 0 to disable. + +charon.plugins.ha.fifo_interface = yes + +charon.plugins.ha.heartbeat_delay = 1000 + +charon.plugins.ha.heartbeat_timeout = 2100 + +charon.plugins.ha.local = + +charon.plugins.ha.monitor = yes + +charon.plugins.ha.pools = + +charon.plugins.ha.remote = + +charon.plugins.ha.resync = yes + +charon.plugins.ha.secret = + +charon.plugins.ha.segment_count = 1 diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf new file mode 100644 index 000000000..ffb1b45a3 --- /dev/null +++ b/conf/plugins/imc-attestation.conf @@ -0,0 +1,26 @@ +imc-attestation { + + # AIK encrypted private key blob file. + # aik_blob = + + # AIK certificate file. + # aik_cert = + + # AIK public key file. + # aik_key = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DH nonce length. + # nonce_len = 20 + + # Whether to send pcr_before and pcr_after info. + # pcr_info = yes + + # Use Quote2 AIK signature instead of Quote signature. + # use_quote2 = yes + +} + diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt new file mode 100644 index 000000000..9c108053b --- /dev/null +++ b/conf/plugins/imc-attestation.opt @@ -0,0 +1,17 @@ +charon.plugins.imc-attestation.aik_blob = + AIK encrypted private key blob file. + +charon.plugins.imc-attestation.aik_cert = + AIK certificate file. + +charon.plugins.imc-attestation.aik_key = + AIK public key file. + +charon.plugins.imc-attestation.nonce_len = 20 + DH nonce length. + +charon.plugins.imc-attestation.use_quote2 = yes + Use Quote2 AIK signature instead of Quote signature. + +charon.plugins.imc-attestation.pcr_info = yes + Whether to send pcr_before and pcr_after info. \ No newline at end of file diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf new file mode 100644 index 000000000..1d245d3f3 --- /dev/null +++ b/conf/plugins/imc-os.conf @@ -0,0 +1,11 @@ +imc-os { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Send operating system info without being prompted. + # push_info = yes + +} + diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt new file mode 100644 index 000000000..2a6333f93 --- /dev/null +++ b/conf/plugins/imc-os.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-os.push_info = yes + Send operating system info without being prompted. diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf new file mode 100644 index 000000000..7f2f53106 --- /dev/null +++ b/conf/plugins/imc-scanner.conf @@ -0,0 +1,11 @@ +imc-scanner { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Send open listening ports without being prompted. + # push_info = yes + +} + diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt new file mode 100644 index 000000000..84e6dfa2f --- /dev/null +++ b/conf/plugins/imc-scanner.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-scanner.push_info = yes + Send open listening ports without being prompted. diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf new file mode 100644 index 000000000..8b3317163 --- /dev/null +++ b/conf/plugins/imc-swid.conf @@ -0,0 +1,11 @@ +imc-swid { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Directory where SWID tags are located. + # swid_directory = ${prefix}/share + +} + diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt new file mode 100644 index 000000000..67f7c79c4 --- /dev/null +++ b/conf/plugins/imc-swid.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-swid.swid_directory = ${prefix}/share + Directory where SWID tags are located. diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf new file mode 100644 index 000000000..0d66e3d0c --- /dev/null +++ b/conf/plugins/imc-test.conf @@ -0,0 +1,23 @@ +imc-test { + + # Number of additional IMC IDs. + # additional_ids = 0 + + # Command to be sent to the Test IMV. + # command = none + + # Size of dummy attribute to be sent to the Test IMV (0 = disabled). + # dummy_size = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Do a handshake retry. + # retry = no + + # Command to be sent to the Test IMV in the handshake retry. + # retry_command = + +} + diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt new file mode 100644 index 000000000..c3169b5af --- /dev/null +++ b/conf/plugins/imc-test.opt @@ -0,0 +1,14 @@ +charon.plugins.imc-test.additional_ids = 0 + Number of additional IMC IDs. + +charon.plugins.imc-test.command = none + Command to be sent to the Test IMV. + +charon.plugins.imc-test.dummy_size = 0 + Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +charon.plugins.imc-test.retry = no + Do a handshake retry. + +charon.plugins.imc-test.retry_command = + Command to be sent to the Test IMV in the handshake retry. diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf new file mode 100644 index 000000000..48ffba839 --- /dev/null +++ b/conf/plugins/imv-attestation.conf @@ -0,0 +1,42 @@ +imc-attestation { + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_after = + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_before = + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_meas = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_after = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_before = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_meas = + +} + +imv-attestation { + + # Path to directory with AIK cacerts. + # cadir = + + # Preferred Diffie-Hellman group. + # dh_group = ecp256 + + # Preferred measurement hash algorithm. + # hash_algorithm = sha256 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DH minimum nonce length. + # min_nonce_len = 0 + +} + diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt new file mode 100644 index 000000000..c0ae20488 --- /dev/null +++ b/conf/plugins/imv-attestation.opt @@ -0,0 +1,29 @@ +charon.plugins.imv-attestation.cadir = + Path to directory with AIK cacerts. + +charon.plugins.imv-attestation.dh_group = ecp256 + Preferred Diffie-Hellman group. + +charon.plugins.imv-attestation.hash_algorithm = sha256 + Preferred measurement hash algorithm. + +charon.plugins.imv-attestation.min_nonce_len = 0 + DH minimum nonce length. + +charon.plugins.imc-attestation.pcr17_after + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr17_before + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr17_meas + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_after + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_before + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_meas + Dummy data if the TBOOT log is not retrieved. diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf new file mode 100644 index 000000000..8f0da3760 --- /dev/null +++ b/conf/plugins/imv-os.conf @@ -0,0 +1,11 @@ +imv-os { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # URI pointing to operating system remediation instructions. + # remediation_uri = + +} + diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt new file mode 100644 index 000000000..eab926201 --- /dev/null +++ b/conf/plugins/imv-os.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-os.remediation_uri = + URI pointing to operating system remediation instructions. diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf new file mode 100644 index 000000000..25719d0ef --- /dev/null +++ b/conf/plugins/imv-scanner.conf @@ -0,0 +1,11 @@ +imv-scanner { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # URI pointing to scanner remediation instructions. + # remediation_uri = + +} + diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt new file mode 100644 index 000000000..7af87493b --- /dev/null +++ b/conf/plugins/imv-scanner.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-scanner.remediation_uri = + URI pointing to scanner remediation instructions. diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf new file mode 100644 index 000000000..9bd248792 --- /dev/null +++ b/conf/plugins/imv-test.conf @@ -0,0 +1,11 @@ +imv-test { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Number of IMC-IMV retry rounds. + # rounds = 0 + +} + diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt new file mode 100644 index 000000000..2cbddc8f6 --- /dev/null +++ b/conf/plugins/imv-test.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-test.rounds = 0 + Number of IMC-IMV retry rounds. diff --git a/conf/plugins/ipseckey.conf b/conf/plugins/ipseckey.conf new file mode 100644 index 000000000..f2e5e5877 --- /dev/null +++ b/conf/plugins/ipseckey.conf @@ -0,0 +1,11 @@ +ipseckey { + + # Enable fetching of IPSECKEY RRs via DNS. + # enable = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/ipseckey.opt b/conf/plugins/ipseckey.opt new file mode 100644 index 000000000..d4cff26dd --- /dev/null +++ b/conf/plugins/ipseckey.opt @@ -0,0 +1,2 @@ +charon.plugins.ipseckey.enable = no + Enable fetching of IPSECKEY RRs via DNS. diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf new file mode 100644 index 000000000..10ca30839 --- /dev/null +++ b/conf/plugins/kernel-klips.conf @@ -0,0 +1,14 @@ +kernel-klips { + + # Number of ipsecN devices. + # ipsec_dev_count = 4 + + # Set MTU of ipsecN device. + # ipsec_dev_mtu = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt new file mode 100644 index 000000000..ad9806e71 --- /dev/null +++ b/conf/plugins/kernel-klips.opt @@ -0,0 +1,5 @@ +charon.plugins.kernel-klips.ipsec_dev_count = 4 + Number of ipsecN devices. + +charon.plugins.kernel-klips.ipsec_dev_mtu = 0 + Set MTU of ipsecN device. diff --git a/conf/plugins/kernel-libipsec.conf b/conf/plugins/kernel-libipsec.conf new file mode 100644 index 000000000..3411be2ff --- /dev/null +++ b/conf/plugins/kernel-libipsec.conf @@ -0,0 +1,11 @@ +kernel-libipsec { + + # Allow that the remote traffic selector equals the IKE peer. + # allow_peer_ts = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-libipsec.opt b/conf/plugins/kernel-libipsec.opt new file mode 100644 index 000000000..e76db63d9 --- /dev/null +++ b/conf/plugins/kernel-libipsec.opt @@ -0,0 +1,7 @@ +charon.plugins.kernel-libipsec.allow_peer_ts = no + Allow that the remote traffic selector equals the IKE peer. + + Allow that the remote traffic selector equals the IKE peer. The route + installed for such traffic (via TUN device) usually prevents further IKE + traffic. The fwmark options for the _kernel-netlink_ and _socket-default_ + plugins can be used to circumvent that problem. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf new file mode 100644 index 000000000..670746963 --- /dev/null +++ b/conf/plugins/kernel-netlink.conf @@ -0,0 +1,19 @@ +kernel-netlink { + + # Firewall mark to set on the routing rule that directs traffic to our + # routing table. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to trigger roam events when interfaces, addresses or routes + # change. + # roam_events = yes + + # Lifetime of XFRM acquire state in kernel. + # xfrm_acq_expires = 165 + +} + diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt new file mode 100644 index 000000000..a8e421b6e --- /dev/null +++ b/conf/plugins/kernel-netlink.opt @@ -0,0 +1,18 @@ +charon.plugins.kernel-netlink.fwmark = + Firewall mark to set on the routing rule that directs traffic to our routing + table. + + Firewall mark to set on the routing rule that directs traffic to our routing + table. The format is [!]mark[/mask], where the optional exclamation mark + inverts the meaning (i.e. the rule only applies to packets that don't match + the mark). + +charon.plugins.kernel-netlink.roam_events = yes + Whether to trigger roam events when interfaces, addresses or routes change. + +charon.plugins.kernel-netlink.xfrm_acq_expires = 165 + Lifetime of XFRM acquire state in kernel. + + Lifetime of XFRM acquire state in kernel. The value gets written to + /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM + acquire messages sent. diff --git a/conf/plugins/kernel-pfroute.conf b/conf/plugins/kernel-pfroute.conf new file mode 100644 index 000000000..9aa4dcac0 --- /dev/null +++ b/conf/plugins/kernel-pfroute.conf @@ -0,0 +1,12 @@ +kernel-pfroute { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Time in ms to wait until virtual IP addresses appear/disappear before + # failing. + # vip_wait = 1000 + +} + diff --git a/conf/plugins/kernel-pfroute.opt b/conf/plugins/kernel-pfroute.opt new file mode 100644 index 000000000..8b9bb9169 --- /dev/null +++ b/conf/plugins/kernel-pfroute.opt @@ -0,0 +1,3 @@ +charon.plugins.kernel-pfroute.vip_wait = 1000 + Time in ms to wait until virtual IP addresses appear/disappear before + failing. diff --git a/conf/plugins/led.conf b/conf/plugins/led.conf new file mode 100644 index 000000000..0f34adb07 --- /dev/null +++ b/conf/plugins/led.conf @@ -0,0 +1,12 @@ +led { + + # activity_led = + + # blink_time = 50 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/led.opt b/conf/plugins/led.opt new file mode 100644 index 000000000..9e2f1ac61 --- /dev/null +++ b/conf/plugins/led.opt @@ -0,0 +1,3 @@ +charon.plugins.led.activity_led = + +charon.plugins.led.blink_time = 50 diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf new file mode 100644 index 000000000..e69c029d6 --- /dev/null +++ b/conf/plugins/load-tester.conf @@ -0,0 +1,138 @@ +# Section to configure the load-tester plugin, see LOAD TESTS in +# strongswan.conf(5) for details. +load-tester { + + # Whether to keep dynamic addresses even after the associated SA got + # terminated. + # addrs_keep = no + + # Network prefix length to use when installing dynamic addresses. If set to + # -1 the full address is used (i.e. 32 or 128). + # addrs_prefix = 16 + + # Directory to load (intermediate) CA certificates from. + # ca_dir = + + # Seconds to start CHILD_SA rekeying after setup. + # child_rekey = 600 + + # Delay between initiatons for each thread. + # delay = 0 + + # Delete an IKE_SA as soon as it has been established. + # delete_after_established = no + + # Digest algorithm used when issuing certificates. + # digest = sha1 + + # DPD delay to use in load test. + # dpd_delay = 0 + + # Base port to be used for requests (each client uses a different port). + # dynamic_port = 0 + + # EAP secret to use in load test. + # eap_password = default-pwd + + # Enable the load testing plugin. WARNING: Never enable this plugin on + # productive systems. It provides preconfigured credentials and allows an + # attacker to authenticate as any user. + # enable = no + + # CHILD_SA proposal to use for load tests. + # esp = aes128-sha1 + + # Fake the kernel interface to allow load-testing against self. + # fake_kernel = no + + # Seconds to start IKE_SA rekeying after setup. + # ike_rekey = 0 + + # Global limit of concurrently established SAs during load test. + # init_limit = 0 + + # Address to initiate from. + # initiator = 0.0.0.0 + + # Authentication method(s) the intiator uses. + # initiator_auth = pubkey + + # Initiator ID used in load test. + # initiator_id = + + # Initiator ID to match against as responder. + # initiator_match = + + # Traffic selector on initiator side, as proposed by initiator. + # initiator_tsi = + + # Traffic selector on responder side, as proposed by initiator. + # initiator_tsr = + + # Number of concurrent initiator threads to use in load test. + # initiators = 0 + + # Path to the issuer certificate (if not configured a hard-coded default + # value is used). + # issuer_cert = + + # Path to private key that is used to issue certificates (if not configured + # a hard-coded default value is used). + # issuer_key = + + # Number of IKE_SAs to initiate by each initiator in load test. + # iterations = 1 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # IPsec mode to use, one of tunnel, transport, or beet. + # mode = tunnel + + # Provide INTERNAL_IPV4_ADDRs from a named pool. + # pool = + + # Preshared key to use in load test. + # preshared_key = + + # IKE proposal to use in load test. + # proposal = aes128-sha1-modp768 + + # Request an INTERNAL_IPV4_ADDR from the server. + # request_virtual_ip = no + + # Address to initiation connections to. + # responder = 127.0.0.1 + + # Authentication method(s) the responder uses. + # responder_auth = pubkey + + # Responder ID used in load test. + # responder_id = + + # Traffic selector on initiator side, as narrowed by responder. + # responder_tsi = initiator_tsi + + # Traffic selector on responder side, as narrowed by responder. + # responder_tsr = initiator_tsr + + # Shutdown the daemon after all IKE_SAs have been established. + # shutdown_when_complete = no + + # Socket provided by the load-tester plugin. + # socket = unix://${piddir}/charon.ldt + + # IKE version to use (0 means use IKEv2 as initiator and accept any version + # as responder). + # version = 0 + + # Section that contains key/value pairs with address pools (in CIDR + # notation) to use for a specific network interface e.g. eth0 = + # 10.10.0.0/16. + addrs { + + } + +} + diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt new file mode 100644 index 000000000..7afe32618 --- /dev/null +++ b/conf/plugins/load-tester.opt @@ -0,0 +1,128 @@ +charon.plugins.load-tester {} + Section to configure the load-tester plugin, see LOAD TESTS in + **strongswan.conf**(5) for details. + +charon.plugins.load-tester.addrs {} + Section that contains key/value pairs with address pools (in CIDR notation) + to use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +charon.plugins.load-tester.addrs_keep = no + Whether to keep dynamic addresses even after the associated SA got + terminated. + +charon.plugins.load-tester.addrs_prefix = 16 + Network prefix length to use when installing dynamic addresses. + If set to -1 the full address is used (i.e. 32 or 128). + +charon.plugins.load-tester.ca_dir = + Directory to load (intermediate) CA certificates from. + +charon.plugins.load-tester.child_rekey = 600 + Seconds to start CHILD_SA rekeying after setup. + +charon.plugins.load-tester.delay = 0 + Delay between initiatons for each thread. + +charon.plugins.load-tester.delete_after_established = no + Delete an IKE_SA as soon as it has been established. + +charon.plugins.load-tester.digest = sha1 + Digest algorithm used when issuing certificates. + +charon.plugins.load-tester.dpd_delay = 0 + DPD delay to use in load test. + +charon.plugins.load-tester.dynamic_port = 0 + Base port to be used for requests (each client uses a different port). + +charon.plugins.load-tester.eap_password = default-pwd + EAP secret to use in load test. + +charon.plugins.load-tester.enable = no + Enable the load testing plugin. **WARNING**: Never enable this plugin on + productive systems. It provides preconfigured credentials and allows an + attacker to authenticate as any user. + +charon.plugins.load-tester.esp = aes128-sha1 + CHILD_SA proposal to use for load tests. + +charon.plugins.load-tester.fake_kernel = no + Fake the kernel interface to allow load-testing against self. + +charon.plugins.load-tester.ike_rekey = 0 + Seconds to start IKE_SA rekeying after setup. + +charon.plugins.load-tester.init_limit = 0 + Global limit of concurrently established SAs during load test. + +charon.plugins.load-tester.initiator = 0.0.0.0 + Address to initiate from. + +charon.plugins.load-tester.initiators = 0 + Number of concurrent initiator threads to use in load test. + +charon.plugins.load-tester.initiator_auth = pubkey + Authentication method(s) the intiator uses. + +charon.plugins.load-tester.initiator_id = + Initiator ID used in load test. + +charon.plugins.load-tester.initiator_match = + Initiator ID to match against as responder. + +charon.plugins.load-tester.initiator_tsi = + Traffic selector on initiator side, as proposed by initiator. + +charon.plugins.load-tester.initiator_tsr = + Traffic selector on responder side, as proposed by initiator. + +charon.plugins.load-tester.iterations = 1 + Number of IKE_SAs to initiate by each initiator in load test. + +charon.plugins.load-tester.issuer_cert = + Path to the issuer certificate (if not configured a hard-coded default value + is used). + +charon.plugins.load-tester.issuer_key = + Path to private key that is used to issue certificates (if not configured a + hard-coded default value is used). + +charon.plugins.load-tester.mode = tunnel + IPsec mode to use, one of _tunnel_, _transport_, or _beet_. + +charon.plugins.load-tester.pool = + Provide INTERNAL_IPV4_ADDRs from a named pool. + +charon.plugins.load-tester.preshared_key = + Preshared key to use in load test. + +charon.plugins.load-tester.proposal = aes128-sha1-modp768 + IKE proposal to use in load test. + +charon.plugins.load-tester.responder = 127.0.0.1 + Address to initiation connections to. + +charon.plugins.load-tester.responder_auth = pubkey + Authentication method(s) the responder uses. + +charon.plugins.load-tester.responder_id = + Responder ID used in load test. + +charon.plugins.load-tester.responder_tsi = initiator_tsi + Traffic selector on initiator side, as narrowed by responder. + +charon.plugins.load-tester.responder_tsr = initiator_tsr + Traffic selector on responder side, as narrowed by responder. + +charon.plugins.load-tester.request_virtual_ip = no + Request an INTERNAL_IPV4_ADDR from the server. + +charon.plugins.load-tester.shutdown_when_complete = no + Shutdown the daemon after all IKE_SAs have been established. + +charon.plugins.load-tester.socket = unix://${piddir}/charon.ldt + Socket provided by the load-tester plugin. + +charon.plugins.load-tester.version = 0 + IKE version to use (0 means use IKEv2 as initiator and accept any version as + responder). diff --git a/conf/plugins/lookip.conf b/conf/plugins/lookip.conf new file mode 100644 index 000000000..53958221f --- /dev/null +++ b/conf/plugins/lookip.conf @@ -0,0 +1,11 @@ +lookip { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the lookip plugin. + # socket = unix://${piddir}/charon.lkp + +} + diff --git a/conf/plugins/lookip.opt b/conf/plugins/lookip.opt new file mode 100644 index 000000000..443eb34bb --- /dev/null +++ b/conf/plugins/lookip.opt @@ -0,0 +1,2 @@ +charon.plugins.lookip.socket = unix://${piddir}/charon.lkp + Socket provided by the lookip plugin. diff --git a/conf/plugins/ntru.conf b/conf/plugins/ntru.conf new file mode 100644 index 000000000..6487b3653 --- /dev/null +++ b/conf/plugins/ntru.conf @@ -0,0 +1,17 @@ +ntru { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Number of pseudo-random bit requests from the DRBG before an automatic + # reseeding occurs. + # max_drbg_requests = 4294967294 + + # The following parameter sets are available: x9_98_speed, x9_98_bandwidth, + # x9_98_balance and optimum, the last set not being part of the X9.98 + # standard but having the best performance. + # parameter_set = optimum + +} + diff --git a/conf/plugins/ntru.opt b/conf/plugins/ntru.opt new file mode 100644 index 000000000..8e1bebd87 --- /dev/null +++ b/conf/plugins/ntru.opt @@ -0,0 +1,8 @@ +charon.plugins.ntru.max_drbg_requests = 4294967294 + Number of pseudo-random bit requests from the DRBG before an automatic + reseeding occurs. + +charon.plugins.ntru.parameter_set = optimum + The following parameter sets are available: **x9_98_speed**, + **x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not + being part of the X9.98 standard but having the best performance. diff --git a/conf/plugins/openssl.conf b/conf/plugins/openssl.conf new file mode 100644 index 000000000..08ed7592b --- /dev/null +++ b/conf/plugins/openssl.conf @@ -0,0 +1,14 @@ +openssl { + + # ENGINE ID to use in the OpenSSL plugin. + # engine_id = pkcs11 + + # Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). + # fips_mode = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt new file mode 100644 index 000000000..55d8dcaa1 --- /dev/null +++ b/conf/plugins/openssl.opt @@ -0,0 +1,5 @@ +charon.plugins.openssl.engine_id = pkcs11 + ENGINE ID to use in the OpenSSL plugin. + +charon.plugins.openssl.fips_mode = 0 + Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf new file mode 100644 index 000000000..35248c2ce --- /dev/null +++ b/conf/plugins/pkcs11.conf @@ -0,0 +1,37 @@ +pkcs11 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to load certificates from tokens. + # load_certs = yes + + # Reload certificates from all tokens if charon receives a SIGHUP. + # reload_certs = no + + # Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc + # option). + # use_dh = no + + # Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + # operations. ECDSA private keys can be used regardless of this option. + # use_ecc = no + + # Whether the PKCS#11 modules should be used to hash data. + # use_hasher = no + + # Whether the PKCS#11 modules should be used for public key operations, even + # for keys not stored on tokens. + # use_pubkey = no + + # Whether the PKCS#11 modules should be used as RNG. + # use_rng = no + + # List of available PKCS#11 modules. + modules { + + } + +} + diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt new file mode 100644 index 000000000..f5a202844 --- /dev/null +++ b/conf/plugins/pkcs11.opt @@ -0,0 +1,26 @@ +charon.plugins.pkcs11.modules {} + List of available PKCS#11 modules. + +charon.plugins.pkcs11.load_certs = yes + Whether to load certificates from tokens. + +charon.plugins.pkcs11.reload_certs = no + Reload certificates from all tokens if charon receives a SIGHUP. + +charon.plugins.pkcs11.use_dh = no + Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_ + option). + +charon.plugins.pkcs11.use_ecc = no + Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + operations. ECDSA private keys can be used regardless of this option. + +charon.plugins.pkcs11.use_hasher = no + Whether the PKCS#11 modules should be used to hash data. + +charon.plugins.pkcs11.use_pubkey = no + Whether the PKCS#11 modules should be used for public key operations, even + for keys not stored on tokens. + +charon.plugins.pkcs11.use_rng = no + Whether the PKCS#11 modules should be used as RNG. diff --git a/conf/plugins/radattr.conf b/conf/plugins/radattr.conf new file mode 100644 index 000000000..6b085987d --- /dev/null +++ b/conf/plugins/radattr.conf @@ -0,0 +1,15 @@ +radattr { + + # Directory where RADIUS attributes are stored in client-ID specific files. + # dir = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Add attributes to all IKE_AUTH messages (-1) or only to the one with the + # given message ID. + # message_id = -1 + +} + diff --git a/conf/plugins/radattr.opt b/conf/plugins/radattr.opt new file mode 100644 index 000000000..dcc1bf2f7 --- /dev/null +++ b/conf/plugins/radattr.opt @@ -0,0 +1,9 @@ +charon.plugins.radattr.dir = + Directory where RADIUS attributes are stored in client-ID specific files. + +charon.plugins.radattr.message_id = -1 + Add attributes to all IKE_AUTH messages (-1) or only to the one with the + given message ID. + + Attributes are added to all IKE_AUTH messages by default (-1), or only to + the IKE_AUTH message with the given IKEv2 message ID. diff --git a/conf/plugins/random.conf b/conf/plugins/random.conf new file mode 100644 index 000000000..e0af75fd7 --- /dev/null +++ b/conf/plugins/random.conf @@ -0,0 +1,18 @@ +random { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read random bytes from. + # random = ${random_device} + + # If set to yes the RNG_STRONG class reads random bytes from the same source + # as the RNG_TRUE class. + # strong_equals_true = no + + # File to read pseudo random bytes from. + # urandom = ${urandom_device} + +} + diff --git a/conf/plugins/random.opt b/conf/plugins/random.opt new file mode 100644 index 000000000..1cbde288b --- /dev/null +++ b/conf/plugins/random.opt @@ -0,0 +1,9 @@ +charon.plugins.random.random = ${random_device} + File to read random bytes from. + +charon.plugins.random.urandom = ${urandom_device} + File to read pseudo random bytes from. + +charon.plugins.random.strong_equals_true = no + If set to yes the RNG_STRONG class reads random bytes from the same source + as the RNG_TRUE class. diff --git a/conf/plugins/resolve.conf b/conf/plugins/resolve.conf new file mode 100644 index 000000000..5d9ca72de --- /dev/null +++ b/conf/plugins/resolve.conf @@ -0,0 +1,18 @@ +resolve { + + # File where to add DNS server entries. + # file = /etc/resolv.conf + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + resolvconf { + + # Prefix used for interface names sent to resolvconf(8). + # iface_prefix = lo.inet.ipsec. + + } + +} + diff --git a/conf/plugins/resolve.opt b/conf/plugins/resolve.opt new file mode 100644 index 000000000..ce65eff9e --- /dev/null +++ b/conf/plugins/resolve.opt @@ -0,0 +1,11 @@ +charon.plugins.resolve.file = /etc/resolv.conf + File where to add DNS server entries. + +charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec. + Prefix used for interface names sent to resolvconf(8). + + Prefix used for interface names sent to **resolvconf**(8). The nameserver + address is appended to this prefix to make it unique. The result has to be + a valid interface name according to the rules defined by resolvconf. Also, + it should have a high priority according to the order defined in + **interface-order**(5). diff --git a/conf/plugins/socket-default.conf b/conf/plugins/socket-default.conf new file mode 100644 index 000000000..6d4b73dd5 --- /dev/null +++ b/conf/plugins/socket-default.conf @@ -0,0 +1,20 @@ +socket-default { + + # Firewall mark to set on outbound packets. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Set source address on outbound packets, if possible. + # set_source = yes + + # Listen on IPv4, if possible. + # use_ipv4 = yes + + # Listen on IPv6, if possible. + # use_ipv6 = yes + +} + diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt new file mode 100644 index 000000000..483a0f03d --- /dev/null +++ b/conf/plugins/socket-default.opt @@ -0,0 +1,11 @@ +charon.plugins.socket-default.fwmark = + Firewall mark to set on outbound packets. + +charon.plugins.socket-default.set_source = yes + Set source address on outbound packets, if possible. + +charon.plugins.socket-default.use_ipv4 = yes + Listen on IPv4, if possible. + +charon.plugins.socket-default.use_ipv6 = yes + Listen on IPv6, if possible. diff --git a/conf/plugins/sql.conf b/conf/plugins/sql.conf new file mode 100644 index 000000000..094231b9c --- /dev/null +++ b/conf/plugins/sql.conf @@ -0,0 +1,15 @@ +sql { + + # Database URI for charon's SQL plugin. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Loglevel for logging to SQL database. + # loglevel = -1 + +} + diff --git a/conf/plugins/sql.opt b/conf/plugins/sql.opt new file mode 100644 index 000000000..f573bba7e --- /dev/null +++ b/conf/plugins/sql.opt @@ -0,0 +1,6 @@ +charon.plugins.sql.database = + Database URI for charon's SQL plugin. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +charon.plugins.sql.loglevel = -1 + Loglevel for logging to SQL database. diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf new file mode 100644 index 000000000..6dd063053 --- /dev/null +++ b/conf/plugins/stroke.conf @@ -0,0 +1,24 @@ +stroke { + + # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + # certificates even if they don't contain a CA basic constraint. + # ignore_missing_ca_basic_constraint = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of stroke messages handled concurrently. + # max_concurrent = 4 + + # If enabled log level changes via stroke socket are not allowed. + # prevent_loglevel_changes = no + + # Socket provided by the stroke plugin. + # socket = unix://${piddir}/charon.ctl + + # Timeout in ms for any stroke command. Use 0 to disable the timeout. + # timeout = 0 + +} + diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt new file mode 100644 index 000000000..2cfc2c6fa --- /dev/null +++ b/conf/plugins/stroke.opt @@ -0,0 +1,15 @@ +charon.plugins.stroke.ignore_missing_ca_basic_constraint = no + Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + certificates even if they don't contain a CA basic constraint. + +charon.plugins.stroke.max_concurrent = 4 + Maximum number of stroke messages handled concurrently. + +charon.plugins.stroke.prevent_loglevel_changes = no + If enabled log level changes via stroke socket are not allowed. + +charon.plugins.stroke.socket = unix://${piddir}/charon.ctl + Socket provided by the stroke plugin. + +charon.plugins.stroke.timeout = 0 + Timeout in ms for any stroke command. Use 0 to disable the timeout. diff --git a/conf/plugins/systime-fix.conf b/conf/plugins/systime-fix.conf new file mode 100644 index 000000000..f5cd4cd5d --- /dev/null +++ b/conf/plugins/systime-fix.conf @@ -0,0 +1,22 @@ +systime-fix { + + # Interval in seconds to check system time for validity. 0 disables the + # check. + # interval = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to use reauth or delete if an invalid cert lifetime is detected. + # reauth = no + + # Threshold date where system time is considered valid. Disabled if not + # specified. + # threshold = + + # strptime(3) format used to parse threshold option. + # threshold_format = %Y + +} + diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt new file mode 100644 index 000000000..7abd03627 --- /dev/null +++ b/conf/plugins/systime-fix.opt @@ -0,0 +1,12 @@ +charon.plugins.systime-fix.interval = 0 + Interval in seconds to check system time for validity. 0 disables the check. + +charon.plugins.systime-fix.reauth = no + Whether to use reauth or delete if an invalid cert lifetime is detected. + +charon.plugins.systime-fix.threshold = + Threshold date where system time is considered valid. Disabled if not + specified. + +charon.plugins.systime-fix.threshold_format = %Y + **strptime**(3) format used to parse threshold option. diff --git a/conf/plugins/tnc-ifmap.conf b/conf/plugins/tnc-ifmap.conf new file mode 100644 index 000000000..02f7c881f --- /dev/null +++ b/conf/plugins/tnc-ifmap.conf @@ -0,0 +1,30 @@ +tnc-ifmap { + + # Path to X.509 certificate file of IF-MAP client. + # client_cert = + + # Path to private key file of IF-MAP client. + # client_key = + + # Unique name of strongSwan server as a PEP and/or PDP device. + # device_name = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Interval in seconds between periodic IF-MAP RenewSession requests. + # renew_session_interval = 150 + + # Path to X.509 certificate file of IF-MAP server. + # server_cert = + + # URI of the form [https://]servername[:port][/path]. + # server_uri = https://localhost:8444/imap + + # Credentials of IF-MAP client of the form username:password. If set, make + # sure to adjust the permissions of the config file accordingly. + # username_password = + +} + diff --git a/conf/plugins/tnc-ifmap.opt b/conf/plugins/tnc-ifmap.opt new file mode 100644 index 000000000..155c30697 --- /dev/null +++ b/conf/plugins/tnc-ifmap.opt @@ -0,0 +1,21 @@ +charon.plugins.tnc-ifmap.client_cert = + Path to X.509 certificate file of IF-MAP client. + +charon.plugins.tnc-ifmap.client_key = + Path to private key file of IF-MAP client. + +charon.plugins.tnc-ifmap.device_name = + Unique name of strongSwan server as a PEP and/or PDP device. + +charon.plugins.tnc-ifmap.renew_session_interval = 150 + Interval in seconds between periodic IF-MAP RenewSession requests. + +charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap + URI of the form [https://]servername[:port][/path]. + +charon.plugins.tnc-ifmap.server_cert = + Path to X.509 certificate file of IF-MAP server. + +charon.plugins.tnc-ifmap.username_password = + Credentials of IF-MAP client of the form username:password. If set, make + sure to adjust the permissions of the config file accordingly. diff --git a/conf/plugins/tnc-imc.conf b/conf/plugins/tnc-imc.conf new file mode 100644 index 000000000..f517abcaf --- /dev/null +++ b/conf/plugins/tnc-imc.conf @@ -0,0 +1,14 @@ +tnc-imc { + + # Unload IMC after use. + # dlclose = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Preferred language for TNC recommendations. + # preferred_language = en + +} + diff --git a/conf/plugins/tnc-imc.opt b/conf/plugins/tnc-imc.opt new file mode 100644 index 000000000..7c9af2a30 --- /dev/null +++ b/conf/plugins/tnc-imc.opt @@ -0,0 +1,5 @@ +charon.plugins.tnc-imc.dlclose = yes + Unload IMC after use. + +charon.plugins.tnc-imc.preferred_language = en + Preferred language for TNC recommendations. diff --git a/conf/plugins/tnc-imv.conf b/conf/plugins/tnc-imv.conf new file mode 100644 index 000000000..799421983 --- /dev/null +++ b/conf/plugins/tnc-imv.conf @@ -0,0 +1,14 @@ +tnc-imv { + + # Unload IMV after use. + # dlclose = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # TNC recommendation policy, one of default, any, or all. + # recommendation_policy = default + +} + diff --git a/conf/plugins/tnc-imv.opt b/conf/plugins/tnc-imv.opt new file mode 100644 index 000000000..788753ce7 --- /dev/null +++ b/conf/plugins/tnc-imv.opt @@ -0,0 +1,5 @@ +charon.plugins.tnc-imv.dlclose = yes + Unload IMV after use. + +charon.plugins.tnc-imv.recommendation_policy = default + TNC recommendation policy, one of _default_, _any_, or _all_. diff --git a/conf/plugins/tnc-pdp.conf b/conf/plugins/tnc-pdp.conf new file mode 100644 index 000000000..d9e926c9e --- /dev/null +++ b/conf/plugins/tnc-pdp.conf @@ -0,0 +1,41 @@ +tnc-pdp { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Name of the strongSwan PDP as contained in the AAA certificate. + # server = + + # Timeout in seconds before closing incomplete connections. + # timeout = + + pt_tls { + + # Enable PT-TLS protocol on the strongSwan PDP. + # enable = yes + + # PT-TLS server port the strongSwan PDP is listening on. + # port = 271 + + } + + radius { + + # Enable RADIUS protocol on the strongSwan PDP. + # enable = yes + + # EAP tunnel method to be used. + # method = ttls + + # RADIUS server port the strongSwan PDP is listening on. + # port = 1812 + + # Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure + # to adjust the permissions of the config file accordingly. + # secret = + + } + +} + diff --git a/conf/plugins/tnc-pdp.opt b/conf/plugins/tnc-pdp.opt new file mode 100644 index 000000000..22b00db5e --- /dev/null +++ b/conf/plugins/tnc-pdp.opt @@ -0,0 +1,24 @@ +charon.plugins.tnc-pdp.pt_tls.enable = yes + Enable PT-TLS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.pt_tls.port = 271 + PT-TLS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.enable = yes + Enable RADIUS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.radius.method = ttls + EAP tunnel method to be used. + +charon.plugins.tnc-pdp.radius.port = 1812 + RADIUS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.secret = + Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to + adjust the permissions of the config file accordingly. + +charon.plugins.tnc-pdp.server = + Name of the strongSwan PDP as contained in the AAA certificate. + +charon.plugins.tnc-pdp.timeout = + Timeout in seconds before closing incomplete connections. diff --git a/conf/plugins/tnccs-11.conf b/conf/plugins/tnccs-11.conf new file mode 100644 index 000000000..9b99786b2 --- /dev/null +++ b/conf/plugins/tnccs-11.conf @@ -0,0 +1,11 @@ +tnccs-11 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum size of a PA-TNC message (XML & Base64 encoding). + # max_message_size = 45000 + +} + diff --git a/conf/plugins/tnccs-11.opt b/conf/plugins/tnccs-11.opt new file mode 100644 index 000000000..eb313fe06 --- /dev/null +++ b/conf/plugins/tnccs-11.opt @@ -0,0 +1,2 @@ +charon.plugins.tnccs-11.max_message_size = 45000 + Maximum size of a PA-TNC message (XML & Base64 encoding). diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf new file mode 100644 index 000000000..9a57ee14d --- /dev/null +++ b/conf/plugins/tnccs-20.conf @@ -0,0 +1,14 @@ +tnccs-20 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). + # max_batch_size = 65522 + + # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). + # max_message_size = 65490 + +} + diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt new file mode 100644 index 000000000..b15bc3fa1 --- /dev/null +++ b/conf/plugins/tnccs-20.opt @@ -0,0 +1,5 @@ +charon.plugins.tnccs-20.max_batch_size = 65522 + Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). + +charon.plugins.tnccs-20.max_message_size = 65490 + Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). diff --git a/conf/plugins/unbound.conf b/conf/plugins/unbound.conf new file mode 100644 index 000000000..8d3003118 --- /dev/null +++ b/conf/plugins/unbound.conf @@ -0,0 +1,17 @@ +unbound { + + # File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + # dlv_anchors = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read DNS resolver configuration from. + # resolv_conf = /etc/resolv.conf + + # File to read DNSSEC trust anchors from (usually root zone KSK). + # trust_anchors = /etc/ipsec.d/dnssec.keys + +} + diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt new file mode 100644 index 000000000..f8ca9ca12 --- /dev/null +++ b/conf/plugins/unbound.opt @@ -0,0 +1,17 @@ +charon.plugins.unbound.resolv_conf = /etc/resolv.conf + File to read DNS resolver configuration from. + +charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys + File to read DNSSEC trust anchors from (usually root zone KSK). + + File to read DNSSEC trust anchors from (usually root zone KSK). The format + of the file is the standard DNS Zone file format, anchors can be stored as + DS or DNSKEY entries in the file. + +charon.plugins.unbound.dlv_anchors = + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It + uses the same format as _trust_anchors_. Only one DLV can be configured, + which is then used as a root trusted DLV, this means that it is a lookaside + for the root. diff --git a/conf/plugins/updown.conf b/conf/plugins/updown.conf new file mode 100644 index 000000000..8bcd330a8 --- /dev/null +++ b/conf/plugins/updown.conf @@ -0,0 +1,12 @@ +updown { + + # Whether the updown script should handle assigned DNS servers (if enabled + # they can't be handled by other plugins, like resolve). + # dns_handler = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/updown.opt b/conf/plugins/updown.opt new file mode 100644 index 000000000..d8bcc82ab --- /dev/null +++ b/conf/plugins/updown.opt @@ -0,0 +1,7 @@ +charon.plugins.updown.dns_handler = no + Whether the updown script should handle assigned DNS servers (if enabled + they can't be handled by other plugins, like resolve). + + Whether the updown script should handle DNS servers assigned via IKEv1 Mode + Config or IKEv2 Config Payloads (if enabled they can't be handled by other + plugins, like resolve) diff --git a/conf/plugins/whitelist.conf b/conf/plugins/whitelist.conf new file mode 100644 index 000000000..c68358bf2 --- /dev/null +++ b/conf/plugins/whitelist.conf @@ -0,0 +1,14 @@ +whitelist { + + # Enable loaded whitelist plugin. + # enable = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the whitelist plugin. + # socket = unix://${piddir}/charon.wlst + +} + diff --git a/conf/plugins/whitelist.opt b/conf/plugins/whitelist.opt new file mode 100644 index 000000000..023f7e235 --- /dev/null +++ b/conf/plugins/whitelist.opt @@ -0,0 +1,6 @@ +charon.plugins.whitelist.enable = yes + Enable loaded whitelist plugin. + +charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst + Socket provided by the whitelist plugin. + diff --git a/conf/plugins/xauth-eap.conf b/conf/plugins/xauth-eap.conf new file mode 100644 index 000000000..25ea2aa36 --- /dev/null +++ b/conf/plugins/xauth-eap.conf @@ -0,0 +1,11 @@ +xauth-eap { + + # EAP plugin to be used as backend for XAuth credential verification. + # backend = radius + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/xauth-eap.opt b/conf/plugins/xauth-eap.opt new file mode 100644 index 000000000..1663f935c --- /dev/null +++ b/conf/plugins/xauth-eap.opt @@ -0,0 +1,2 @@ +charon.plugins.xauth-eap.backend = radius + EAP plugin to be used as backend for XAuth credential verification. diff --git a/conf/plugins/xauth-pam.conf b/conf/plugins/xauth-pam.conf new file mode 100644 index 000000000..aeba19195 --- /dev/null +++ b/conf/plugins/xauth-pam.conf @@ -0,0 +1,18 @@ +xauth-pam { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # PAM service to be used for authentication. + # pam_service = login + + # Open/close a PAM session for each active IKE_SA. + # session = no + + # If an email address is received as an XAuth username, trim it to just the + # username part. + # trim_email = yes + +} + diff --git a/conf/plugins/xauth-pam.opt b/conf/plugins/xauth-pam.opt new file mode 100644 index 000000000..637dea6a6 --- /dev/null +++ b/conf/plugins/xauth-pam.opt @@ -0,0 +1,9 @@ +charon.plugins.xauth-pam.pam_service = login + PAM service to be used for authentication. + +charon.plugins.xauth-pam.session = no + Open/close a PAM session for each active IKE_SA. + +charon.plugins.xauth-pam.trim_email = yes + If an email address is received as an XAuth username, trim it to just the + username part. diff --git a/conf/strongswan.conf b/conf/strongswan.conf new file mode 100644 index 000000000..d90672861 --- /dev/null +++ b/conf/strongswan.conf @@ -0,0 +1,14 @@ +# strongswan.conf - strongSwan configuration file +# +# Refer to the strongswan.conf(5) manpage for details +# +# Configuration changes should be made in the included files + +charon { + load_modular = yes + plugins { + include strongswan.d/charon/*.conf + } +} + +include strongswan.d/*.conf diff --git a/conf/strongswan.conf.5.head.in b/conf/strongswan.conf.5.head.in new file mode 100644 index 000000000..23454e758 --- /dev/null +++ b/conf/strongswan.conf.5.head.in @@ -0,0 +1,127 @@ +.TH STRONGSWAN.CONF 5 "" "@PACKAGE_VERSION@" "strongSwan" +.SH NAME +strongswan.conf \- strongSwan configuration file +.SH DESCRIPTION +While the +.IR ipsec.conf (5) +configuration file is well suited to define IPsec related configuration +parameters, it is not useful for other strongSwan applications to read options +from this file. +The file is hard to parse and only +.I ipsec starter +is capable of doing so. As the number of components of the strongSwan project +is continually growing, a more flexible configuration file was needed, one that +is easy to extend and can be used by all components. With strongSwan 4.2.1 +.IR strongswan.conf (5) +was introduced which meets these requirements. + +.SH SYNTAX +The format of the strongswan.conf file consists of hierarchical +.B sections +and a list of +.B key/value pairs +in each section. Each section has a name, followed by C-Style curly brackets +defining the section body. Each section body contains a set of subsections +and key/value pairs: +.PP +.EX + settings := (section|keyvalue)* + section := name { settings } + keyvalue := key = value\\n +.EE +.PP +Values must be terminated by a newline. +.PP +Comments are possible using the \fB#\fP-character, but be careful: The parser +implementation is currently limited and does not like brackets in comments. +.PP +Section names and keys may contain any printable character except: +.PP +.EX + . { } # \\n \\t space +.EE +.PP +An example file in this format might look like this: +.PP +.EX + a = b + section-one { + somevalue = asdf + subsection { + othervalue = xxx + } + # yei, a comment + yetanother = zz + } + section-two { + x = 12 + } +.EE +.PP +Indentation is optional, you may use tabs or spaces. + +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + +.SH READING VALUES +Values are accessed using a dot-separated section list and a key. +With reference to the example above, accessing +.B section-one.subsection.othervalue +will return +.BR xxx . + +.SH DEFINED KEYS +The following keys are currently defined (using dot notation). The default +value (if any) is listed in brackets after the key. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main new file mode 100644 index 000000000..282b8fa70 --- /dev/null +++ b/conf/strongswan.conf.5.main @@ -0,0 +1,1664 @@ +.TP +.BR attest.database " []" +File measurement information database URI. If it contains a password, make sure +to adjust the permissions of the config file accordingly. + +.TP +.BR attest.load " []" +Plugins to load in ipsec attest tool. + +.TP +.B charon +.br +Options for the charon IKE daemon. + +.RB "" "Note" ":" +Many of the options in this section also apply to +.RB "" "charon\-cmd" "" +and +other +.RB "" "charon" "" +derivatives. Just use their respective name (e.g. +.RB "" "charon\-cmd" "" +instead of +.RB "" "charon" ")." +For many options defaults can be defined +in the +.RB "" "libstrongswan" "" +section. + +.TP +.BR charon.block_threshold " [5]" +Maximum number of half\-open IKE_SAs for a single peer IP. + +.TP +.BR charon.cert_cache " [yes]" +Whether relations in validated certificate chains should be cached in memory. + +.TP +.BR charon.cisco_unity " [no]" +Send Cisco Unity vendor ID payload (IKEv1 only). + +.TP +.BR charon.close_ike_on_child_failure " [no]" +Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + +.TP +.BR charon.cookie_threshold " [10]" +Number of half\-open IKE_SAs that activate the cookie mechanism. + +.TP +.BR charon.dh_exponent_ansi_x9_42 " [yes]" +Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic +strength. + +.TP +.BR charon.dns1 " []" +DNS server assigned to peer via configuration payload (CP). + +.TP +.BR charon.dns2 " []" +DNS server assigned to peer via configuration payload (CP). + +.TP +.BR charon.dos_protection " [yes]" +Enable Denial of Service protection using cookies and aggressiveness checks. + +.TP +.BR charon.ecp_x_coordinate_only " [yes]" +Compliance with the errata for RFC 4753. + +.TP +.BR charon.flush_auth_cfg " [no]" +If enabled objects used during authentication (certificates, identities etc.) +are released to free memory once an IKE_SA is established. Enabling this might +conflict with plugins that later need access to e.g. the used certificates. + +.TP +.BR charon.fragment_size " [512]" +Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 +fragmentation extension. + +.TP +.BR charon.group " []" +Name of the group the daemon changes to after startup. + +.TP +.BR charon.half_open_timeout " [30]" +Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + +.TP +.BR charon.hash_and_url " [no]" +Enable hash and URL support. + +.TP +.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" +If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared +keys, which is discouraged due to security concerns (offline attacks on the +openly transmitted hash of the PSK). + +.TP +.BR charon.ignore_routing_tables " []" +A space\-separated list of routing tables to be excluded from route lookups. + +.TP +.BR charon.ikesa_limit " [0]" +Maximum number of IKE_SAs that can be established at the same time before new +connection attempts are blocked. + +.TP +.BR charon.ikesa_table_segments " [1]" +Number of exclusively locked segments in the hash table. + +.TP +.BR charon.ikesa_table_size " [1]" +Size of the IKE_SA hash table. + +.TP +.BR charon.inactivity_close_ike " [no]" +Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + +.TP +.BR charon.init_limit_half_open " [0]" +Limit new connections based on the current number of half open IKE_SAs, see +IKE_SA_INIT DROPPING in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.init_limit_job_load " [0]" +Limit new connections based on the number of jobs currently queued for +processing (see IKE_SA_INIT DROPPING). + +.TP +.BR charon.initiator_only " [no]" +Causes charon daemon to ignore IKE initiation requests. + +.TP +.BR charon.install_routes " [yes]" +Install routes into a separate routing table for established IPsec tunnels. + +.TP +.BR charon.install_virtual_ip " [yes]" +Install virtual IP addresses. + +.TP +.BR charon.install_virtual_ip_on " []" +The name of the interface on which virtual IP addresses should be installed. If +not specified the addresses will be installed on the outbound interface. + +.TP +.BR charon.integrity_test " [no]" +Check daemon, libstrongswan and plugin integrity at startup. + +.TP +.BR charon.interfaces_ignore " []" +A comma\-separated list of network interfaces that should be ignored, if +.RB "" "interfaces_use" "" +is specified this option has no effect. + +.TP +.BR charon.interfaces_use " []" +A comma\-separated list of network interfaces that should be used by charon. All +other interfaces are ignored. + +.TP +.BR charon.keep_alive " [20s]" +NAT keep alive interval. + +.TP +.BR charon.load " []" +Plugins to load in the IKE daemon charon. + +.TP +.BR charon.load_modular " [no]" +If enabled, the list of plugins to load is determined via the value of the +.RI "" "charon.plugins..load" "" +options. In addition to a simple boolean flag that +option may take an integer value indicating the priority of a plugin, which +would influence the order of a plugin in the plugin list (the default is 1). If +two plugins have the same priority their order in the default plugin list is +preserved. Enabled plugins not found in that list are ordered alphabetically +before other plugins with the same priority. + +.TP +.BR charon.max_packet " [10000]" +Maximum packet size accepted by charon. + +.TP +.BR charon.multiple_authentication " [yes]" +Enable multiple authentication exchanges (RFC 4739). + +.TP +.BR charon.nbns1 " []" +WINS servers assigned to peer via configuration payload (CP). + +.TP +.BR charon.nbns2 " []" +WINS servers assigned to peer via configuration payload (CP). + +.TP +.BR charon.port " [500]" +UDP port used locally. If set to 0 a random port will be allocated. + +.TP +.BR charon.port_nat_t " [4500]" +UDP port used locally in case of NAT\-T. If set to 0 a random port will be +allocated. Has to be different from +.RB "" "charon.port" "," +otherwise a random port +will be allocated. + +.TP +.BR charon.process_route " [yes]" +Process RTM_NEWROUTE and RTM_DELROUTE events. + +.TP +.BR charon.receive_delay " [0]" +Delay in ms for receiving packets, to simulate larger RTT. + +.TP +.BR charon.receive_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.receive_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.receive_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.replay_window " [32]" +Size of the AH/ESP replay window, in packets. + +.TP +.BR charon.retransmit_base " [1.8]" +Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.retransmit_timeout " [4.0]" +Timeout in seconds before sending first retransmit. + +.TP +.BR charon.retransmit_tries " [5]" +Number of times to retransmit a packet before giving up. + +.TP +.BR charon.retry_initiate_interval " [0]" +Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution +failed), 0 to disable retries. + +.TP +.BR charon.reuse_ikesa " [yes]" +Initiate CHILD_SA within existing IKE_SAs. + +.TP +.BR charon.routing_table " []" +Numerical routing table to install routes to. + +.TP +.BR charon.routing_table_prio " []" +Priority of the routing table. + +.TP +.BR charon.send_delay " [0]" +Delay in ms for sending packets, to simulate larger RTT. + +.TP +.BR charon.send_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.send_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.send_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.send_vendor_id " [no]" +Send strongSwan vendor ID payload + +.TP +.BR charon.threads " [16]" +Number of worker threads in charon. Several of these are reserved for long +running tasks in internal modules and plugins. Therefore, make sure you don't +set this value too low. The number of idle worker threads listed in +.RI "" "ipsec statusall" "" +might be used as indicator on the number of reserved threads. + +.TP +.BR charon.user " []" +Name of the user the daemon changes to after startup. + +.TP +.BR charon.crypto_test.bench " [no]" +Benchmark crypto algorithms and order them by efficiency. + +.TP +.BR charon.crypto_test.bench_size " [1024]" +Buffer size used for crypto benchmark. + +.TP +.BR charon.crypto_test.bench_time " [50]" +Number of iterations to test each algorithm. + +.TP +.BR charon.crypto_test.on_add " [no]" +Test crypto algorithms during registration (requires test vectors provided by +the +.RI "" "test\-vectors" "" +plugin). + +.TP +.BR charon.crypto_test.on_create " [no]" +Test crypto algorithms on each crypto primitive instantiation. + +.TP +.BR charon.crypto_test.required " [no]" +Strictly require at least one test vector to enable an algorithm. + +.TP +.BR charon.crypto_test.rng_true " [no]" +Whether to test RNG with TRUE quality; requires a lot of entropy. + +.TP +.B charon.filelog +.br +Section to define file loggers, see LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.B charon.filelog. +.br + is the full path to the log file. + +.TP +.BR charon.filelog.. " []" +Loglevel for a specific subsystem. + +.TP +.BR charon.filelog..append " [yes]" +If this option is enabled log entries are appended to the existing file. + +.TP +.BR charon.filelog..default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP +.BR charon.filelog..flush_line " [no]" +Enabling this option disables block buffering and enables line buffering. + +.TP +.BR charon.filelog..ike_name " [no]" +Prefix each log entry with the connection name and a unique numerical identifier +for each IKE_SA. + +.TP +.BR charon.filelog..time_format " []" +Prefix each log entry with a timestamp. The option accepts a format string as +passed to +.RB "" "strftime" "(3)." + + +.TP +.BR charon.host_resolver.max_threads " [3]" +Maximum number of concurrent resolver threads (they are terminated if unused). + +.TP +.BR charon.host_resolver.min_threads " [0]" +Minimum number of resolver threads to keep around. + +.TP +.B charon.imcv +.br +Defaults for options in this section can be configured in the +.RI "" "libimcv" "" +section. + +.TP +.BR charon.imcv.assessment_result " [yes]" +Whether IMVs send a standard IETF Assessment Result attribute. + +.TP +.BR charon.imcv.database " []" +Global IMV policy database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR charon.imcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies. + +.TP +.BR charon.imcv.os_info.name " []" +Manually set the name of the client OS (e.g. Ubuntu). + +.TP +.BR charon.imcv.os_info.version " []" +Manually set the version of the client OS (e.g. 12.04 i686). + +.TP +.BR charon.leak_detective.detailed " [yes]" +Includes source file names and line numbers in leak detective output. + +.TP +.BR charon.leak_detective.usage_threshold " [10240]" +Threshold in bytes for leaks to be reported (0 to report all). + +.TP +.BR charon.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all). + +.TP +.BR charon.plugins.android_log.loglevel " [1]" +Loglevel for logging to Android specific logger. + +.TP +.B charon.plugins.attr +.br +Section to specify arbitrary attributes that are assigned to a peer via +configuration payload (CP). + +.TP +.BR charon.plugins.attr. " []" +.RB "" "" "" +can be either +.RI "" "address" "," +.RI "" "netmask" "," +.RI "" "dns" "," +.RI "" "nbns" "," +.RI "" "dhcp" "," +.RI "" "subnet" "," +.RI "" "split\-include" "," +.RI "" "split\-exclude" "" +or the numeric identifier of the attribute +type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation +or an arbitrary value depending on the attribute type. For some attribute types +multiple values may be specified as a comma separated list. + +.TP +.BR charon.plugins.attr-sql.database " []" +Database URI for attr\-sql plugin used by charon. If it contains a password, make +sure to adjust the permissions of the config file accordingly. + +.TP +.BR charon.plugins.attr-sql.lease_history " [yes]" +Enable logging of SQL IP pool leases. + +.TP +.BR charon.plugins.certexpire.csv.cron " []" +Cron style string specifying CSV export times. + +.TP +.BR charon.plugins.certexpire.csv.empty_string " []" +String to use in empty intermediate CA fields. + +.TP +.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" +Use a fixed intermediate CA field count. + +.TP +.BR charon.plugins.certexpire.csv.force " [yes]" +Force export of all trustchains we have a private key for. + +.TP +.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" +.RB "" "strftime" "(3)" +format string to export expiration dates as. + +.TP +.BR charon.plugins.certexpire.csv.local " []" +.RB "" "strftime" "(3)" +format string for the CSV file name to export local certificates +to. + +.TP +.BR charon.plugins.certexpire.csv.remote " []" +.RB "" "strftime" "(3)" +format string for the CSV file name to export remote +certificates to. + +.TP +.BR charon.plugins.certexpire.csv.separator " [,]" +CSV field separator. + +.TP +.BR charon.plugins.coupling.file " []" +File to store coupling list to. + +.TP +.BR charon.plugins.coupling.hash " [sha1]" +Hashing algorithm to fingerprint coupled certificates. + +.TP +.BR charon.plugins.coupling.max " [1]" +Maximum number of coupling entries to create. + +.TP +.BR charon.plugins.dhcp.force_server_address " [no]" +Always use the configured server address. This might be helpful if the DHCP +server runs on the same host as strongSwan, and the DHCP daemon does not listen +on the loopback interface. In that case the server cannot be reached via +unicast (or even 255.255.255.255) as that would be routed via loopback. Setting +this option to yes and configuring the local broadcast address (e.g. +192.168.0.255) as server address might work. + +.TP +.BR charon.plugins.dhcp.identity_lease " [no]" +Derive user\-defined MAC address from hash of IKE identity. + +.TP +.BR charon.plugins.dhcp.interface " []" +Interface name the plugin uses for address allocation. The default is to bind to +any (0.0.0.0) and let the system decide which way to route the packets to the +DHCP server. + +.TP +.BR charon.plugins.dhcp.server " [255.255.255.255]" +DHCP server unicast or broadcast IP address. + +.TP +.BR charon.plugins.dnscert.enable " [no]" +Enable fetching of CERT RRs via DNS. + +.TP +.BR charon.plugins.duplicheck.enable " [yes]" +Enable duplicheck plugin (if loaded). + +.TP +.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" +Socket provided by the duplicheck plugin. + +.TP +.BR charon.plugins.eap-aka.request_identity " [yes]" +.TP +.BR charon.plugins.eap-aka-3ggp2.seq_check " []" +.TP +.BR charon.plugins.eap-dynamic.prefer_user " [no]" +If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are +preferred over the methods registered locally. + +.TP +.BR charon.plugins.eap-dynamic.preferred " []" +The preferred EAP method(s) to be used. If it is not given the first registered +method will be used initially. If a comma separated list is given the methods +are tried in the given order before trying the rest of the registered methods. + +.TP +.BR charon.plugins.eap-gtc.backend " [pam]" +XAuth backend to be used for credential verification. + +.TP +.BR charon.plugins.eap-peap.fragment_size " [1024]" +Maximum size of an EAP\-PEAP packet. + +.TP +.BR charon.plugins.eap-peap.include_length " [no]" +Include length in non\-fragmented EAP\-PEAP packets. + +.TP +.BR charon.plugins.eap-peap.max_message_count " [32]" +Maximum number of processed EAP\-PEAP packets (0 = no limit). + +.TP +.BR charon.plugins.eap-peap.phase2_method " [mschapv2]" +Phase2 EAP client authentication method. + +.TP +.BR charon.plugins.eap-peap.phase2_piggyback " [no]" +Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +.TP +.BR charon.plugins.eap-peap.phase2_tnc " [no]" +Start phase2 EAP TNC protocol after successful client authentication. + +.TP +.BR charon.plugins.eap-peap.request_peer_auth " [no]" +Request peer authentication based on a client certificate. + +.TP +.BR charon.plugins.eap-radius.accounting " [no]" +Send RADIUS accounting information to RADIUS servers. + +.TP +.BR charon.plugins.eap-radius.accounting_requires_vip " [no]" +If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. + +.TP +.BR charon.plugins.eap-radius.class_group " [no]" +Use the +.RI "" "class" "" +attribute sent in the RADIUS\-Accept message as group membership +information that is compared to the groups specified in the +.RB "" "rightgroups" "" +option in +.RB "" "ipsec.conf" "(5)." + + +.TP +.BR charon.plugins.eap-radius.close_all_on_timeout " [no]" +Closes all IKE_SAs if communication with the RADIUS server times out. If it is +not set only the current IKE_SA is closed. + +.TP +.BR charon.plugins.eap-radius.eap_start " [no]" +Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation. + +.TP +.BR charon.plugins.eap-radius.filter_id " [no]" +If the RADIUS +.RI "" "tunnel_type" "" +attribute with value +.RB "" "ESP" "" +is received, use the +.RI "" "filter_id" "" +attribute sent in the RADIUS\-Accept message as group membership +information that is compared to the groups specified in the +.RB "" "rightgroups" "" +option in +.RB "" "ipsec.conf" "(5)." + + +.TP +.BR charon.plugins.eap-radius.id_prefix " []" +Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP +method. + +.TP +.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" +NAS\-Identifier to include in RADIUS messages. + +.TP +.BR charon.plugins.eap-radius.port " [1812]" +Port of RADIUS server (authentication). + +.TP +.BR charon.plugins.eap-radius.secret " []" +Shared secret between RADIUS and NAS. If set, make sure to adjust the +permissions of the config file accordingly. + +.TP +.BR charon.plugins.eap-radius.server " []" +IP/Hostname of RADIUS server. + +.TP +.BR charon.plugins.eap-radius.sockets " [1]" +Number of sockets (ports) to use, increase for high load. + +.TP +.BR charon.plugins.eap-radius.dae.enable " [no]" +Enables support for the Dynamic Authorization Extension (RFC 5176). + +.TP +.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" +Address to listen for DAE messages from the RADIUS server. + +.TP +.BR charon.plugins.eap-radius.dae.port " [3799]" +Port to listen for DAE requests. + +.TP +.BR charon.plugins.eap-radius.dae.secret " []" +Shared secret used to verify/sign DAE messages. If set, make sure to adjust the +permissions of the config file accordingly. + +.TP +.BR charon.plugins.eap-radius.forward.ike_to_radius " []" +RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name +or attribute number, a colon can be used to specify vendor\-specific attributes, +e.g. Reply\-Message, or 11, or 36906:12). + +.TP +.BR charon.plugins.eap-radius.forward.radius_to_ike " []" +Same as +.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" "" +but from RADIUS to +IKEv2, a strongSwan specific private notify (40969) is used to transmit the +attributes. + +.TP +.B charon.plugins.eap-radius.servers +.br +Section to specify multiple RADIUS servers. The +.RB "" "nas_identifier" "," +.RB "" "secret" "," +.RB "" "sockets" "" +and +.RB "" "port" "" +(or +.RB "" "auth_port" ")" +options can be specified for each +server. A server's IP/Hostname can be configured using the +.RB "" "address" "" +option. +The +.RB "" "acct_port" "" +[1813] option can be used to specify the port used for RADIUS +accounting. For each RADIUS server a priority can be specified using the +.RB "" "preference" "" +[0] option. + +.TP +.B charon.plugins.eap-radius.xauth +.br +Section to configure multiple XAuth authentication rounds via RADIUS. The +subsections define so called authentication profiles with arbitrary names. In +each profile section one or more XAuth types can be configured, with an assigned +message. For each type a separate XAuth exchange will be initiated and all +replies get concatenated into the User\-Password attribute, which then gets +verified over RADIUS. + +Available XAuth types are +.RB "" "password" "," +.RB "" "passcode" "," +.RB "" "nextpin" "," +and +.RB "" "answer" "." +This type is not relevant to strongSwan or the AAA server, but the +client may show a different dialog (along with the configured message). + +To use the configured profiles, they have to be configured in the respective +connection in +.RB "" "ipsec.conf" "(5)" +by appending the profile name, separated by a +colon, to the +.RB "" "xauth\-radius" "" +XAauth backend configuration in +.RI "" "rightauth" "" +or +.RI "" "rightauth2" "," +for instance, +.RI "" "rightauth2=xauth\-radius:profile" "." + + +.TP +.BR charon.plugins.eap-sim.request_identity " [yes]" +.TP +.BR charon.plugins.eap-simaka-sql.database " []" +.TP +.BR charon.plugins.eap-simaka-sql.remove_used " [no]" +.TP +.BR charon.plugins.eap-tls.fragment_size " [1024]" +Maximum size of an EAP\-TLS packet. + +.TP +.BR charon.plugins.eap-tls.include_length " [yes]" +Include length in non\-fragmented EAP\-TLS packets. + +.TP +.BR charon.plugins.eap-tls.max_message_count " [32]" +Maximum number of processed EAP\-TLS packets (0 = no limit). + +.TP +.BR charon.plugins.eap-tnc.max_message_count " [10]" +Maximum number of processed EAP\-TNC packets (0 = no limit). + +.TP +.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" +IF\-TNCCS protocol version to be used +.RI "(" "tnccs\-1.1" "," +.RI "" "tnccs\-2.0" "," +.RI "" "tnccs\-dynamic" ")." + + +.TP +.BR charon.plugins.eap-ttls.fragment_size " [1024]" +Maximum size of an EAP\-TTLS packet. + +.TP +.BR charon.plugins.eap-ttls.include_length " [yes]" +Include length in non\-fragmented EAP\-TTLS packets. + +.TP +.BR charon.plugins.eap-ttls.max_message_count " [32]" +Maximum number of processed EAP\-TTLS packets (0 = no limit). + +.TP +.BR charon.plugins.eap-ttls.phase2_method " [md5]" +Phase2 EAP client authentication method. + +.TP +.BR charon.plugins.eap-ttls.phase2_piggyback " [no]" +Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +.TP +.BR charon.plugins.eap-ttls.phase2_tnc " [no]" +Start phase2 EAP TNC protocol after successful client authentication. + +.TP +.BR charon.plugins.eap-ttls.request_peer_auth " [no]" +Request peer authentication based on a client certificate. + +.TP +.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" +Socket provided by the error\-notify plugin. + +.TP +.BR charon.plugins.gcrypt.quick_random " [no]" +Use faster random numbers in gcrypt; for testing only, produces weak keys! + +.TP +.BR charon.plugins.ha.autobalance " [0]" +Interval in seconds to automatically balance handled segments between nodes. Set +to 0 to disable. + +.TP +.BR charon.plugins.ha.fifo_interface " [yes]" +.TP +.BR charon.plugins.ha.heartbeat_delay " [1000]" +.TP +.BR charon.plugins.ha.heartbeat_timeout " [2100]" +.TP +.BR charon.plugins.ha.local " []" +.TP +.BR charon.plugins.ha.monitor " [yes]" +.TP +.BR charon.plugins.ha.pools " []" +.TP +.BR charon.plugins.ha.remote " []" +.TP +.BR charon.plugins.ha.resync " [yes]" +.TP +.BR charon.plugins.ha.secret " []" +.TP +.BR charon.plugins.ha.segment_count " [1]" +.TP +.BR charon.plugins.imc-attestation.aik_blob " []" +AIK encrypted private key blob file. + +.TP +.BR charon.plugins.imc-attestation.aik_cert " []" +AIK certificate file. + +.TP +.BR charon.plugins.imc-attestation.aik_key " []" +AIK public key file. + +.TP +.BR charon.plugins.imc-attestation.nonce_len " [20]" +DH nonce length. + +.TP +.BR charon.plugins.imc-attestation.pcr17_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr17_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr17_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr18_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr18_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr18_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr_info " [yes]" +Whether to send pcr_before and pcr_after info. + +.TP +.BR charon.plugins.imc-attestation.use_quote2 " [yes]" +Use Quote2 AIK signature instead of Quote signature. + +.TP +.BR charon.plugins.imc-os.push_info " [yes]" +Send operating system info without being prompted. + +.TP +.BR charon.plugins.imc-scanner.push_info " [yes]" +Send open listening ports without being prompted. + +.TP +.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]" +Directory where SWID tags are located. + +.TP +.BR charon.plugins.imc-test.additional_ids " [0]" +Number of additional IMC IDs. + +.TP +.BR charon.plugins.imc-test.command " [none]" +Command to be sent to the Test IMV. + +.TP +.BR charon.plugins.imc-test.dummy_size " [0]" +Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +.TP +.BR charon.plugins.imc-test.retry " [no]" +Do a handshake retry. + +.TP +.BR charon.plugins.imc-test.retry_command " []" +Command to be sent to the Test IMV in the handshake retry. + +.TP +.BR charon.plugins.imv-attestation.cadir " []" +Path to directory with AIK cacerts. + +.TP +.BR charon.plugins.imv-attestation.dh_group " [ecp256]" +Preferred Diffie\-Hellman group. + +.TP +.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]" +Preferred measurement hash algorithm. + +.TP +.BR charon.plugins.imv-attestation.min_nonce_len " [0]" +DH minimum nonce length. + +.TP +.BR charon.plugins.imv-os.remediation_uri " []" +URI pointing to operating system remediation instructions. + +.TP +.BR charon.plugins.imv-scanner.remediation_uri " []" +URI pointing to scanner remediation instructions. + +.TP +.BR charon.plugins.imv-test.rounds " [0]" +Number of IMC\-IMV retry rounds. + +.TP +.BR charon.plugins.ipseckey.enable " [no]" +Enable fetching of IPSECKEY RRs via DNS. + +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" +Number of ipsecN devices. + +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" +Set MTU of ipsecN device. + +.TP +.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" +Allow that the remote traffic selector equals the IKE peer. The route installed +for such traffic (via TUN device) usually prevents further IKE traffic. The +fwmark options for the +.RI "" "kernel\-netlink" "" +and +.RI "" "socket\-default" "" +plugins can be used +to circumvent that problem. + +.TP +.BR charon.plugins.kernel-netlink.fwmark " []" +Firewall mark to set on the routing rule that directs traffic to our routing +table. The format is [!]mark[/mask], where the optional exclamation mark inverts +the meaning (i.e. the rule only applies to packets that don't match the mark). + +.TP +.BR charon.plugins.kernel-netlink.roam_events " [yes]" +Whether to trigger roam events when interfaces, addresses or routes change. + +.TP +.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" +Lifetime of XFRM acquire state in kernel. The value gets written to +/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM +acquire messages sent. + +.TP +.BR charon.plugins.kernel-pfroute.vip_wait " [1000]" +Time in ms to wait until virtual IP addresses appear/disappear before failing. + +.TP +.BR charon.plugins.led.activity_led " []" +.TP +.BR charon.plugins.led.blink_time " [50]" +.TP +.B charon.plugins.load-tester +.br +Section to configure the load\-tester plugin, see LOAD TESTS in +.RB "" "strongswan.conf" "(5)" +for details. + +.TP +.BR charon.plugins.load-tester.addrs_keep " [no]" +Whether to keep dynamic addresses even after the associated SA got terminated. + +.TP +.BR charon.plugins.load-tester.addrs_prefix " [16]" +Network prefix length to use when installing dynamic addresses. If set to \-1 the +full address is used (i.e. 32 or 128). + +.TP +.BR charon.plugins.load-tester.ca_dir " []" +Directory to load (intermediate) CA certificates from. + +.TP +.BR charon.plugins.load-tester.child_rekey " [600]" +Seconds to start CHILD_SA rekeying after setup. + +.TP +.BR charon.plugins.load-tester.delay " [0]" +Delay between initiatons for each thread. + +.TP +.BR charon.plugins.load-tester.delete_after_established " [no]" +Delete an IKE_SA as soon as it has been established. + +.TP +.BR charon.plugins.load-tester.digest " [sha1]" +Digest algorithm used when issuing certificates. + +.TP +.BR charon.plugins.load-tester.dpd_delay " [0]" +DPD delay to use in load test. + +.TP +.BR charon.plugins.load-tester.dynamic_port " [0]" +Base port to be used for requests (each client uses a different port). + +.TP +.BR charon.plugins.load-tester.eap_password " [default-pwd]" +EAP secret to use in load test. + +.TP +.BR charon.plugins.load-tester.enable " [no]" +Enable the load testing plugin. +.RB "" "WARNING" ":" +Never enable this plugin on +productive systems. It provides preconfigured credentials and allows an attacker +to authenticate as any user. + +.TP +.BR charon.plugins.load-tester.esp " [aes128-sha1]" +CHILD_SA proposal to use for load tests. + +.TP +.BR charon.plugins.load-tester.fake_kernel " [no]" +Fake the kernel interface to allow load\-testing against self. + +.TP +.BR charon.plugins.load-tester.ike_rekey " [0]" +Seconds to start IKE_SA rekeying after setup. + +.TP +.BR charon.plugins.load-tester.init_limit " [0]" +Global limit of concurrently established SAs during load test. + +.TP +.BR charon.plugins.load-tester.initiator " [0.0.0.0]" +Address to initiate from. + +.TP +.BR charon.plugins.load-tester.initiator_auth " [pubkey]" +Authentication method(s) the intiator uses. + +.TP +.BR charon.plugins.load-tester.initiator_id " []" +Initiator ID used in load test. + +.TP +.BR charon.plugins.load-tester.initiator_match " []" +Initiator ID to match against as responder. + +.TP +.BR charon.plugins.load-tester.initiator_tsi " []" +Traffic selector on initiator side, as proposed by initiator. + +.TP +.BR charon.plugins.load-tester.initiator_tsr " []" +Traffic selector on responder side, as proposed by initiator. + +.TP +.BR charon.plugins.load-tester.initiators " [0]" +Number of concurrent initiator threads to use in load test. + +.TP +.BR charon.plugins.load-tester.issuer_cert " []" +Path to the issuer certificate (if not configured a hard\-coded default value is +used). + +.TP +.BR charon.plugins.load-tester.issuer_key " []" +Path to private key that is used to issue certificates (if not configured a +hard\-coded default value is used). + +.TP +.BR charon.plugins.load-tester.iterations " [1]" +Number of IKE_SAs to initiate by each initiator in load test. + +.TP +.BR charon.plugins.load-tester.mode " [tunnel]" +IPsec mode to use, one of +.RI "" "tunnel" "," +.RI "" "transport" "," +or +.RI "" "beet" "." + + +.TP +.BR charon.plugins.load-tester.pool " []" +Provide INTERNAL_IPV4_ADDRs from a named pool. + +.TP +.BR charon.plugins.load-tester.preshared_key " []" +Preshared key to use in load test. + +.TP +.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" +IKE proposal to use in load test. + +.TP +.BR charon.plugins.load-tester.request_virtual_ip " [no]" +Request an INTERNAL_IPV4_ADDR from the server. + +.TP +.BR charon.plugins.load-tester.responder " [127.0.0.1]" +Address to initiation connections to. + +.TP +.BR charon.plugins.load-tester.responder_auth " [pubkey]" +Authentication method(s) the responder uses. + +.TP +.BR charon.plugins.load-tester.responder_id " []" +Responder ID used in load test. + +.TP +.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" +Traffic selector on initiator side, as narrowed by responder. + +.TP +.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" +Traffic selector on responder side, as narrowed by responder. + +.TP +.BR charon.plugins.load-tester.shutdown_when_complete " [no]" +Shutdown the daemon after all IKE_SAs have been established. + +.TP +.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" +Socket provided by the load\-tester plugin. + +.TP +.BR charon.plugins.load-tester.version " [0]" +IKE version to use (0 means use IKEv2 as initiator and accept any version as +responder). + +.TP +.B charon.plugins.load-tester.addrs +.br +Section that contains key/value pairs with address pools (in CIDR notation) to +use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +.TP +.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" +Socket provided by the lookip plugin. + +.TP +.BR charon.plugins.ntru.max_drbg_requests " [4294967294]" +Number of pseudo\-random bit requests from the DRBG before an automatic reseeding +occurs. + +.TP +.BR charon.plugins.ntru.parameter_set " [optimum]" +The following parameter sets are available: +.RB "" "x9_98_speed" "," +.RB "" "x9_98_bandwidth" "," +.RB "" "x9_98_balance" "" +and +.RB "" "optimum" "," +the last set not being +part of the X9.98 standard but having the best performance. + +.TP +.BR charon.plugins.openssl.engine_id " [pkcs11]" +ENGINE ID to use in the OpenSSL plugin. + +.TP +.BR charon.plugins.openssl.fips_mode " [0]" +Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). + +.TP +.BR charon.plugins.pkcs11.load_certs " [yes]" +Whether to load certificates from tokens. + +.TP +.BR charon.plugins.pkcs11.reload_certs " [no]" +Reload certificates from all tokens if charon receives a SIGHUP. + +.TP +.BR charon.plugins.pkcs11.use_dh " [no]" +Whether the PKCS#11 modules should be used for DH and ECDH (see +.RI "" "use_ecc" "" +option). + +.TP +.BR charon.plugins.pkcs11.use_ecc " [no]" +Whether the PKCS#11 modules should be used for ECDH and ECDSA public key +operations. ECDSA private keys can be used regardless of this option. + +.TP +.BR charon.plugins.pkcs11.use_hasher " [no]" +Whether the PKCS#11 modules should be used to hash data. + +.TP +.BR charon.plugins.pkcs11.use_pubkey " [no]" +Whether the PKCS#11 modules should be used for public key operations, even for +keys not stored on tokens. + +.TP +.BR charon.plugins.pkcs11.use_rng " [no]" +Whether the PKCS#11 modules should be used as RNG. + +.TP +.B charon.plugins.pkcs11.modules +.br +List of available PKCS#11 modules. + +.TP +.BR charon.plugins.radattr.dir " []" +Directory where RADIUS attributes are stored in client\-ID specific files. + +.TP +.BR charon.plugins.radattr.message_id " [-1]" +Attributes are added to all IKE_AUTH messages by default (\-1), or only to the +IKE_AUTH message with the given IKEv2 message ID. + +.TP +.BR charon.plugins.random.random " [${random_device}]" +File to read random bytes from. + +.TP +.BR charon.plugins.random.strong_equals_true " [no]" +If set to yes the RNG_STRONG class reads random bytes from the same source as +the RNG_TRUE class. + +.TP +.BR charon.plugins.random.urandom " [${urandom_device}]" +File to read pseudo random bytes from. + +.TP +.BR charon.plugins.resolve.file " [/etc/resolv.conf]" +File where to add DNS server entries. + +.TP +.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" +Prefix used for interface names sent to +.RB "" "resolvconf" "(8)." +The nameserver +address is appended to this prefix to make it unique. The result has to be a +valid interface name according to the rules defined by resolvconf. Also, it +should have a high priority according to the order defined in +.RB "" "interface\-order" "(5)." + + +.TP +.BR charon.plugins.socket-default.fwmark " []" +Firewall mark to set on outbound packets. + +.TP +.BR charon.plugins.socket-default.set_source " [yes]" +Set source address on outbound packets, if possible. + +.TP +.BR charon.plugins.socket-default.use_ipv4 " [yes]" +Listen on IPv4, if possible. + +.TP +.BR charon.plugins.socket-default.use_ipv6 " [yes]" +Listen on IPv6, if possible. + +.TP +.BR charon.plugins.sql.database " []" +Database URI for charon's SQL plugin. If it contains a password, make sure to +adjust the permissions of the config file accordingly. + +.TP +.BR charon.plugins.sql.loglevel " [-1]" +Loglevel for logging to SQL database. + +.TP +.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" +Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA +certificates even if they don't contain a CA basic constraint. + +.TP +.BR charon.plugins.stroke.max_concurrent " [4]" +Maximum number of stroke messages handled concurrently. + +.TP +.BR charon.plugins.stroke.prevent_loglevel_changes " [no]" +If enabled log level changes via stroke socket are not allowed. + +.TP +.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" +Socket provided by the stroke plugin. + +.TP +.BR charon.plugins.stroke.timeout " [0]" +Timeout in ms for any stroke command. Use 0 to disable the timeout. + +.TP +.BR charon.plugins.systime-fix.interval " [0]" +Interval in seconds to check system time for validity. 0 disables the check. + +.TP +.BR charon.plugins.systime-fix.reauth " [no]" +Whether to use reauth or delete if an invalid cert lifetime is detected. + +.TP +.BR charon.plugins.systime-fix.threshold " []" +Threshold date where system time is considered valid. Disabled if not specified. + +.TP +.BR charon.plugins.systime-fix.threshold_format " [%Y]" +.RB "" "strptime" "(3)" +format used to parse threshold option. + +.TP +.BR charon.plugins.tnc-ifmap.client_cert " []" +Path to X.509 certificate file of IF\-MAP client. + +.TP +.BR charon.plugins.tnc-ifmap.client_key " []" +Path to private key file of IF\-MAP client. + +.TP +.BR charon.plugins.tnc-ifmap.device_name " []" +Unique name of strongSwan server as a PEP and/or PDP device. + +.TP +.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" +Interval in seconds between periodic IF\-MAP RenewSession requests. + +.TP +.BR charon.plugins.tnc-ifmap.server_cert " []" +Path to X.509 certificate file of IF\-MAP server. + +.TP +.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" +URI of the form [https://]servername[:port][/path]. + +.TP +.BR charon.plugins.tnc-ifmap.username_password " []" +Credentials of IF\-MAP client of the form username:password. If set, make sure to +adjust the permissions of the config file accordingly. + +.TP +.BR charon.plugins.tnc-imc.dlclose " [yes]" +Unload IMC after use. + +.TP +.BR charon.plugins.tnc-imc.preferred_language " [en]" +Preferred language for TNC recommendations. + +.TP +.BR charon.plugins.tnc-imv.dlclose " [yes]" +Unload IMV after use. + +.TP +.BR charon.plugins.tnc-imv.recommendation_policy " [default]" +TNC recommendation policy, one of +.RI "" "default" "," +.RI "" "any" "," +or +.RI "" "all" "." + + +.TP +.BR charon.plugins.tnc-pdp.server " []" +Name of the strongSwan PDP as contained in the AAA certificate. + +.TP +.BR charon.plugins.tnc-pdp.timeout " []" +Timeout in seconds before closing incomplete connections. + +.TP +.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]" +Enable PT\-TLS protocol on the strongSwan PDP. + +.TP +.BR charon.plugins.tnc-pdp.pt_tls.port " [271]" +PT\-TLS server port the strongSwan PDP is listening on. + +.TP +.BR charon.plugins.tnc-pdp.radius.enable " [yes]" +Enable RADIUS protocol on the strongSwan PDP. + +.TP +.BR charon.plugins.tnc-pdp.radius.method " [ttls]" +EAP tunnel method to be used. + +.TP +.BR charon.plugins.tnc-pdp.radius.port " [1812]" +RADIUS server port the strongSwan PDP is listening on. + +.TP +.BR charon.plugins.tnc-pdp.radius.secret " []" +Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR charon.plugins.tnccs-11.max_message_size " [45000]" +Maximum size of a PA\-TNC message (XML & Base64 encoding). + +.TP +.BR charon.plugins.tnccs-20.max_batch_size " [65522]" +Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529). + +.TP +.BR charon.plugins.tnccs-20.max_message_size " [65490]" +Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497). + +.TP +.BR charon.plugins.unbound.dlv_anchors " []" +File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses +the same format as +.RI "" "trust_anchors" "." +Only one DLV can be configured, which is +then used as a root trusted DLV, this means that it is a lookaside for the root. + +.TP +.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]" +File to read DNS resolver configuration from. + +.TP +.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" +File to read DNSSEC trust anchors from (usually root zone KSK). The format of +the file is the standard DNS Zone file format, anchors can be stored as DS or +DNSKEY entries in the file. + +.TP +.BR charon.plugins.updown.dns_handler " [no]" +Whether the updown script should handle DNS servers assigned via IKEv1 Mode +Config or IKEv2 Config Payloads (if enabled they can't be handled by other +plugins, like resolve) + +.TP +.BR charon.plugins.whitelist.enable " [yes]" +Enable loaded whitelist plugin. + +.TP +.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" +Socket provided by the whitelist plugin. + +.TP +.BR charon.plugins.xauth-eap.backend " [radius]" +EAP plugin to be used as backend for XAuth credential verification. + +.TP +.BR charon.plugins.xauth-pam.pam_service " [login]" +PAM service to be used for authentication. + +.TP +.BR charon.plugins.xauth-pam.session " [no]" +Open/close a PAM session for each active IKE_SA. + +.TP +.BR charon.plugins.xauth-pam.trim_email " [yes]" +If an email address is received as an XAuth username, trim it to just the +username part. + +.TP +.B charon.processor.priority_threads +.br +Section to configure the number of reserved threads per priority class see JOB +PRIORITY MANAGEMENT in +.RB "" "strongswan.conf" "(5)." + + +.TP +.B charon.syslog +.br +Section to define syslog loggers, see LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.syslog.identifier " []" +Global identifier used for an +.RB "" "openlog" "(3)" +call, prepended to each log message +by syslog. If not configured, +.RB "" "openlog" "(3)" +is not called, so the value will +depend on system defaults (often the program name). + +.TP +.B charon.syslog. +.br + is one of the supported syslog facilities, see LOGGER CONFIGURATION +in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.syslog.. " []" +Loglevel for a specific subsystem. + +.TP +.BR charon.syslog..default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP +.BR charon.syslog..ike_name " [no]" +Prefix each log entry with the connection name and a unique numerical identifier +for each IKE_SA. + +.TP +.BR charon.tls.cipher " []" +List of TLS encryption ciphers. + +.TP +.BR charon.tls.key_exchange " []" +List of TLS key exchange methods. + +.TP +.BR charon.tls.mac " []" +List of TLS MAC algorithms. + +.TP +.BR charon.tls.suites " []" +List of TLS cipher suites. + +.TP +.BR charon.tnc.tnc_config " [/etc/tnc_config]" +TNC IMC/IMV configuration file. + +.TP +.BR charon.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions. + +.TP +.BR libimcv.debug_level " [1]" +Debug level for a stand\-alone +.RI "" "libimcv" "" +library. + +.TP +.BR libimcv.load " [random nonce gmp pubkey x509]" +Plugins to load in IMC/IMVs with stand\-alone +.RI "" "libimcv" "" +library. + +.TP +.BR libimcv.stderr_quiet " [no]" +Disable output to stderr with a stand\-alone +.RI "" "libimcv" "" +library. + +.TP +.BR manager.database " []" +Credential database URI for manager. If it contains a password, make sure to +adjust the permissions of the config file accordingly. + +.TP +.BR manager.debug " [no]" +Enable debugging in manager. + +.TP +.BR manager.load " []" +Plugins to load in manager. + +.TP +.BR manager.socket " []" +FastCGI socket of manager, to run it statically. + +.TP +.BR manager.threads " [10]" +Threads to use for request handling. + +.TP +.BR manager.timeout " [15m]" +Session timeout for manager. + +.TP +.BR medsrv.database " []" +Mediation server database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR medsrv.debug " [no]" +Debugging in mediation server web application. + +.TP +.BR medsrv.dpd " [5m]" +DPD timeout to use in mediation server plugin. + +.TP +.BR medsrv.load " []" +Plugins to load in mediation server plugin. + +.TP +.BR medsrv.password_length " [6]" +Minimum password length required for mediation server user accounts. + +.TP +.BR medsrv.rekey " [20m]" +Rekeying time on mediation connections in mediation server plugin. + +.TP +.BR medsrv.socket " []" +Run Mediation server web application statically on socket. + +.TP +.BR medsrv.threads " [5]" +Number of thread for mediation service web application. + +.TP +.BR medsrv.timeout " [15m]" +Session timeout for mediation service. + +.TP +.BR openac.load " []" +Plugins to load in ipsec openac tool. + +.TP +.BR pacman.database " []" +Database URI for the database that stores the package information. If it +contains a password, make sure to adjust the permissions of the config file +accordingly. + +.TP +.BR pacman.load " []" +Plugins to load in package manager. + +.TP +.BR pki.load " []" +Plugins to load in ipsec pki tool. + +.TP +.BR pool.database " []" +Database URI for the database that stores IP pools and configuration attributes. +If it contains a password, make sure to adjust the permissions of the +config file accordingly. + +.TP +.BR pool.load " []" +Plugins to load in ipsec pool tool. + +.TP +.BR scepclient.load " []" +Plugins to load in ipsec scepclient tool. + +.TP +.BR starter.load " []" +Plugins to load in starter. + +.TP +.BR starter.load_warning " [yes]" +Disable charon plugin load option warning. + diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in new file mode 100644 index 000000000..72aa7f856 --- /dev/null +++ b/conf/strongswan.conf.5.tail.in @@ -0,0 +1,470 @@ +.SH LOGGER CONFIGURATION +Options in +.BR strongswan.conf (5) +provide a much more flexible way to configure loggers for the IKE daemon charon +than using the +.B charondebug +option in +.BR ipsec.conf (5). +.PP +.BR Note : +If any loggers are specified in strongswan.conf, +.B charondebug +does not have any effect. +.PP +There are currently two types of loggers: +.TP +.B File loggers +Log directly to a file and are defined by specifying the full path to the +file as subsection in the +.B charon.filelog +section. To log to the console the two special filenames +.BR stdout " and " stderr +can be used. +.TP +.B Syslog loggers +Log into a syslog facility and are defined by specifying the facility to log to +as the name of a subsection in the +.B charon.syslog +section. The following facilities are currently supported: +.BR daemon " and " auth . +.PP +Multiple loggers can be defined for each type with different log verbosity for +the different subsystems of the daemon. + +.SS Subsystems +.TP +.B dmn +Main daemon setup/cleanup/signal handling +.TP +.B mgr +IKE_SA manager, handling synchronization for IKE_SA access +.TP +.B ike +IKE_SA +.TP +.B chd +CHILD_SA +.TP +.B job +Jobs queueing/processing and thread pool management +.TP +.B cfg +Configuration management and plugins +.TP +.B knl +IPsec/Networking kernel interface +.TP +.B net +IKE network communication +.TP +.B asn +Low-level encoding/decoding (ASN.1, X.509 etc.) +.TP +.B enc +Packet encoding/decoding encryption/decryption operations +.TP +.B tls +libtls library messages +.TP +.B esp +libipsec library messages +.TP +.B lib +libstrongwan library messages +.TP +.B tnc +Trusted Network Connect +.TP +.B imc +Integrity Measurement Collector +.TP +.B imv +Integrity Measurement Verifier +.TP +.B pts +Platform Trust Service +.SS Loglevels +.TP +.B -1 +Absolutely silent +.TP +.B 0 +Very basic auditing logs, (e.g. SA up/SA down) +.TP +.B 1 +Generic control flow with errors, a good default to see whats going on +.TP +.B 2 +More detailed debugging control flow +.TP +.B 3 +Including RAW data dumps in Hex +.TP +.B 4 +Also include sensitive material in dumps, e.g. keys +.SS Example +.PP +.EX + charon { + filelog { + /var/log/charon.log { + time_format = %b %e %T + append = no + default = 1 + } + stderr { + ike = 2 + knl = 3 + ike_name = yes + } + } + syslog { + # enable logging to LOG_DAEMON, use defaults + daemon { + } + # minimalistic IKE auditing logging to LOG_AUTHPRIV + auth { + default = -1 + ike = 0 + } + } + } +.EE + +.SH JOB PRIORITY MANAGEMENT +Some operations in the IKEv2 daemon charon are currently implemented +synchronously and blocking. Two examples for such operations are communication +with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during +certificate chain verification. Under high load conditions, the thread pool may +run out of available threads, and some more important jobs, such as liveness +checking, may not get executed in time. +.PP +To prevent thread starvation in such situations job priorities were introduced. +The job processor will reserve some threads for higher priority jobs, these +threads are not available for lower priority, locking jobs. +.SS Implementation +Currently 4 priorities have been defined, and they are used in charon as +follows: +.TP +.B CRITICAL +Priority for long-running dispatcher jobs. +.TP +.B HIGH +INFORMATIONAL exchanges, as used by liveness checking (DPD). +.TP +.B MEDIUM +Everything not HIGH/LOW, including IKE_SA_INIT processing. +.TP +.B LOW +IKE_AUTH message processing. RADIUS and CRL fetching block here +.PP +Although IKE_SA_INIT processing is computationally expensive, it is explicitly +assigned to the MEDIUM class. This allows charon to do the DH exchange while +other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more +IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. +.PP +The thread pool processes jobs strictly by priority, meaning it will consume all +higher priority jobs before looking for ones with lower priority. Further, it +reserves threads for certain priorities. A priority class having reserved +.I n +threads will always have +.I n +threads available for this class (either currently processing a job, or waiting +for one). +.SS Configuration +To ensure that there are always enough threads available for higher priority +tasks, threads must be reserved for each priority class. +.TP +.BR charon.processor.priority_threads.critical " [0]" +Threads reserved for CRITICAL priority class jobs +.TP +.BR charon.processor.priority_threads.high " [0]" +Threads reserved for HIGH priority class jobs +.TP +.BR charon.processor.priority_threads.medium " [0]" +Threads reserved for MEDIUM priority class jobs +.TP +.BR charon.processor.priority_threads.low " [0]" +Threads reserved for LOW priority class jobs +.PP +Let's consider the following configuration: +.PP +.EX + charon { + processor { + priority_threads { + high = 1 + medium = 4 + } + } + } +.EE +.PP +With this configuration, one thread is reserved for HIGH priority tasks. As +currently only liveness checking and stroke message processing is done with +high priority, one or two threads should be sufficient. +.PP +The MEDIUM class mostly processes non-blocking jobs. Unless your setup is +experiencing many blocks in locks while accessing shared resources, threads for +one or two times the number of CPU cores is fine. +.PP +It is usually not required to reserve threads for CRITICAL jobs. Jobs in this +class rarely return and do not release their thread to the pool. +.PP +The remaining threads are available for LOW priority jobs. Reserving threads +does not make sense (until we have an even lower priority). +.SS Monitoring +To see what the threads are actually doing, invoke +.IR "ipsec statusall" . +Under high load, something like this will show up: +.PP +.EX + worker threads: 2 or 32 idle, 5/1/2/22 working, + job queue: 0/0/1/149, scheduled: 198 +.EE +.PP +From 32 worker threads, +.IP 2 +are currently idle. +.IP 5 +are running CRITICAL priority jobs (dispatching from sockets, etc.). +.IP 1 +is currently handling a HIGH priority job. This is actually the thread currently +providing this information via stroke. +.IP 2 +are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA +messages. +.IP 22 +are handling LOW priority jobs, probably waiting for an EAP-RADIUS response +while processing IKE_AUTH messages. +.PP +The job queue load shows how many jobs are queued for each priority, ready for +execution. The single MEDIUM priority job will get executed immediately, as +we have two spare threads reserved for MEDIUM class jobs. + +.SH IKE_SA_INIT DROPPING +If a responder receives more connection requests per seconds than it can handle, +it does not make sense to accept more IKE_SA_INIT messages. And if they are +queued but can't get processed in time, an answer might be sent after the +client has already given up and restarted its connection setup. This +additionally increases the load on the responder. +.PP +To limit the responder load resulting from new connection attempts, the daemon +can drop IKE_SA_INIT messages just after reception. There are two mechanisms to +decide if this should happen, configured with the following options: +.TP +.BR charon.init_limit_half_open " [0]" +Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in +connecting state, but not yet established. +.TP +.BR charon.init_limit_job_load " [0]" +Limit based on the number of jobs currently queued for processing (sum over all +job priorities). +.PP +The second limit includes load from other jobs, such as rekeying. Choosing a +good value is difficult and depends on the hardware and expected load. +.PP +The first limit is simpler to calculate, but includes the load from new +connections only. If your responder is capable of negotiating 100 tunnels/s, you +might set this limit to 1000. The daemon will then drop new connection attempts +if generating a response would require more than 10 seconds. If you are +allowing for a maximum response time of more than 30 seconds, consider adjusting +the timeout for connecting IKE_SAs +.RB ( charon.half_open_timeout ). +A responder, by default, deletes an IKE_SA if the initiator does not establish +it within 30 seconds. Under high load, a higher value might be required. + +.SH LOAD TESTS +To do stability testing and performance optimizations, the IKE daemon charon +provides the \fIload-tester\fR plugin. This plugin allows one to setup thousands +of tunnels concurrently against the daemon itself or a remote host. +.PP +.B WARNING: +Never enable the load-testing plugin on productive systems. It provides +preconfigured credentials and allows an attacker to authenticate as any user. +.PP +.SS Configuration details +For public key authentication, the responder uses the +.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq +identity. For the initiator, each connection attempt uses a different identity +in the form +.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , +where the first number inidicates the client number, the second the +authentication round (if multiple authentication rounds are used). +.PP +For PSK authentication, FQDN identities are used. The server uses +.BR srv.strongswan.org , +the client uses an identity in the form +.BR c1-r1.strongswan.org . +.PP +For EAP authentication, the client uses a NAI in the form +.BR 100000000010001@strongswan.org . +.PP +To configure multiple authentication rounds, concatenate multiple methods using, +e.g. +.EX + initiator_auth = pubkey|psk|eap-md5|eap-aka +.EE +.PP +The responder uses a hardcoded certificate based on a 1024-bit RSA key. +This certificate additionally serves as CA certificate. A peer uses the same +private key, but generates client certificates on demand signed by the CA +certificate. Install the Responder/CA certificate on the remote host to +authenticate all clients. +.PP +To speed up testing, the load tester plugin implements a special Diffie-Hellman +implementation called \fImodpnull\fR. By setting +.EX + proposal = aes128-sha1-modpnull +.EE +this wicked fast DH implementation is used. It does not provide any security +at all, but allows one to run tests without DH calculation overhead. +.SS Examples +.PP +In the simplest case, the daemon initiates IKE_SAs against itself using the +loopback interface. This will actually establish double the number of IKE_SAs, +as the daemon is initiator and responder for each IKE_SA at the same time. +Installation of IPsec SAs would fail, as each SA gets installed twice. To +simulate the correct behavior, a fake kernel interface can be enabled which does +not install the IPsec SAs at the kernel level. +.PP +A simple loopback configuration might look like this: +.PP +.EX + charon { + # create new IKE_SAs for each CHILD_SA to simulate + # different clients + reuse_ikesa = no + # turn off denial of service protection + dos_protection = no + + plugins { + load-tester { + # enable the plugin + enable = yes + # use 4 threads to initiate connections + # simultaneously + initiators = 4 + # each thread initiates 1000 connections + iterations = 1000 + # delay each initiation in each thread by 20ms + delay = 20 + # enable the fake kernel interface to + # avoid SA conflicts + fake_kernel = yes + } + } + } +.EE +.PP +This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay +value if your box can not handle that much load, or decrease it to put more +load on it. If the daemon starts retransmitting messages your box probably can +not handle all connection attempts. +.PP +The plugin also allows one to test against a remote host. This might help to +test against a real world configuration. A connection setup to do stress +testing of a gateway might look like this: +.PP +.EX + charon { + reuse_ikesa = no + threads = 32 + + plugins { + load-tester { + enable = yes + # 10000 connections, ten in parallel + initiators = 10 + iterations = 1000 + # use a delay of 100ms, overall time is: + # iterations * delay = 100s + delay = 100 + # address of the gateway + remote = 1.2.3.4 + # IKE-proposal to use + proposal = aes128-sha1-modp1024 + # use faster PSK authentication instead + # of 1024bit RSA + initiator_auth = psk + responder_auth = psk + # request a virtual IP using configuration + # payloads + request_virtual_ip = yes + # enable CHILD_SA every 60s + child_rekey = 60 + } + } + } +.EE + +.SH IKEv2 RETRANSMISSION +Retransmission timeouts in the IKEv2 daemon charon can be configured globally +using the three keys listed below: +.PP +.RS +.nf +.BR charon.retransmit_base " [1.8]" +.BR charon.retransmit_timeout " [4.0]" +.BR charon.retransmit_tries " [5]" +.fi +.RE +.PP +The following algorithm is used to calculate the timeout: +.PP +.EX + relative timeout = retransmit_timeout * retransmit_base ^ (n-1) +.EE +.PP +Where +.I n +is the current retransmission count. +.PP +Using the default values, packets are retransmitted in: + +.TS +l r r +--- +lB r r. +Retransmission Relative Timeout Absolute Timeout +1 4s 4s +2 7s 11s +3 13s 24s +4 23s 47s +5 42s 89s +giving up 76s 165s +.TE +. +.SH VARIABLES +. +The variables used above are configured as follows: + +.nf +.na +${piddir} @piddir@ +${prefix} @prefix@ +${random_device} @random_device@ +${urandom_device} @urandom_device@ +.ad +.fi +. +.SH FILES +. +.nf +.na +/etc/strongswan.conf configuration file +/etc/strongswan.d/ directory containing included config snippets +/etc/strongswan.d/charon/ plugin specific config snippets +.ad +.fi +. +.SH SEE ALSO +\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) + +.SH HISTORY +Written for the +.UR http://www.strongswan.org +strongSwan project +.UE +by Tobias Brunner, Andreas Steffen and Martin Willi. diff --git a/config.h.in b/config.h.in index cce6dd148..bfcb4e2ec 100644 --- a/config.h.in +++ b/config.h.in @@ -124,6 +124,12 @@ /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the `memrchr' function. */ +#undef HAVE_MEMRCHR + +/* Define to 1 if you have the `mmap' function. */ +#undef HAVE_MMAP + /* have mpz_mown_sec() */ #undef HAVE_MPZ_POWM_SEC @@ -169,6 +175,15 @@ /* Define to 1 if you have the `pthread_spin_init' function. */ #undef HAVE_PTHREAD_SPIN_INIT +/* have qsort_r() */ +#undef HAVE_QSORT_R + +/* have BSD-style qsort_r() */ +#undef HAVE_QSORT_R_BSD + +/* have GNU-style qsort_r() */ +#undef HAVE_QSORT_R_GNU + /* Define to 1 if you have the `rb_errinfo' function. */ #undef HAVE_RB_ERRINFO @@ -293,7 +308,7 @@ /* support for IKEv2 protocol */ #undef USE_IKEV2 -/* use vstring library for printf hooks */ +/* use Vstr string library for printf hooks */ #undef USE_VSTR /* Version number of package */ diff --git a/configure b/configure index 818379bbc..652a5d06f 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.1.1. +# Generated by GNU Autoconf 2.69 for strongSwan 5.1.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.1.1' -PACKAGE_STRING='strongSwan 5.1.1' +PACKAGE_VERSION='5.1.2' +PACKAGE_STRING='strongSwan 5.1.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -632,14 +632,13 @@ ac_subst_vars='am__EXEEXT_FALSE am__EXEEXT_TRUE LTLIBOBJS LIBOBJS +strongswan_options USE_CMD_FALSE USE_CMD_TRUE USE_TKM_FALSE USE_TKM_TRUE COVERAGE_FALSE COVERAGE_TRUE -UNITTESTS_FALSE -UNITTESTS_TRUE USE_SILENT_RULES_FALSE USE_SILENT_RULES_TRUE MONOLITHIC_FALSE @@ -872,6 +871,8 @@ USE_MEDSRV_FALSE USE_MEDSRV_TRUE USE_STROKE_FALSE USE_STROKE_TRUE +USE_NTRU_FALSE +USE_NTRU_TRUE USE_AF_ALG_FALSE USE_AF_ALG_TRUE USE_GCM_FALSE @@ -982,8 +983,6 @@ COVERAGE_LDFLAGS COVERAGE_CFLAGS GENHTML LCOV -CHECK_LIBS -CHECK_CFLAGS GPRBUILD dev_headers USE_DEV_HEADERS_FALSE @@ -1018,6 +1017,15 @@ DLLIB ALLOCA GPERF PERL +pkgpyexecdir +pyexecdir +pkgpythondir +pythondir +PYTHON_PLATFORM +PYTHON_EXEC_PREFIX +PYTHON_PREFIX +PYTHON_VERSION +PYTHON YFLAGS YACC LEXLIB @@ -1314,6 +1322,7 @@ enable_pkcs11 enable_ctr enable_ccm enable_gcm +enable_ntru enable_addrblock enable_unity enable_uci @@ -1336,7 +1345,6 @@ enable_vstr enable_monolithic enable_bfd_backtraces enable_unwind_backtraces -enable_unit_tests enable_coverage enable_tkm enable_cmd @@ -1365,6 +1373,7 @@ CPPFLAGS CPP YACC YFLAGS +PYTHON soup_CFLAGS soup_LIBS xml_CFLAGS @@ -1376,9 +1385,7 @@ maemo_LIBS pcsclite_CFLAGS pcsclite_LIBS nm_CFLAGS -nm_LIBS -CHECK_CFLAGS -CHECK_LIBS' +nm_LIBS' # Initialize some variables set by options. @@ -1919,7 +1926,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.1.1 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.1.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1989,7 +1996,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.1.1:";; + short | recursive ) echo "Configuration of strongSwan 5.1.2:";; esac cat <<\_ACEOF @@ -2151,6 +2158,7 @@ Optional Features: --enable-ctr enables the Counter Mode wrapper crypto plugin. --enable-ccm enables the CCM AEAD wrapper crypto plugin. --enable-gcm enables the GCM AEAD wrapper crypto plugin. + --enable-ntru enables the NTRU crypto plugin. --enable-addrblock enables RFC 3779 address block constraint support. --enable-unity enables Cisco Unity extension plugin. --enable-uci enable OpenWRT UCI configuration plugin. @@ -2186,7 +2194,6 @@ Optional Features: --enable-unwind-backtraces use libunwind to create backtraces for memory leaks and segfaults. - --enable-unit-tests enable unit tests using the check test framework. --enable-coverage enable lcov coverage report generation. --enable-tkm enable Trusted Key Manager support. --enable-cmd enable the command line IKE client charon-cmd. @@ -2292,6 +2299,7 @@ Some influential environment variables: YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. + PYTHON the Python interpreter soup_CFLAGS C compiler flags for soup, overriding pkg-config soup_LIBS linker flags for soup, overriding pkg-config xml_CFLAGS C compiler flags for xml, overriding pkg-config @@ -2307,9 +2315,6 @@ Some influential environment variables: linker flags for pcsclite, overriding pkg-config nm_CFLAGS C compiler flags for nm, overriding pkg-config nm_LIBS linker flags for nm, overriding pkg-config - CHECK_CFLAGS - C compiler flags for CHECK, overriding pkg-config - CHECK_LIBS linker flags for CHECK, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. @@ -2377,7 +2382,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.1.1 +strongSwan configure 5.1.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2899,7 +2904,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.1.1, which was +It was created by strongSwan $as_me 5.1.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3762,7 +3767,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.1.1' + VERSION='5.1.2' cat >>confdefs.h <<_ACEOF @@ -6391,6 +6396,21 @@ else fi +# Check whether --enable-ntru was given. +if test "${enable_ntru+set}" = set; then : + enableval=$enable_ntru; ntru_given=true + if test x$enableval = xyes; then + ntru=true + else + ntru=false + fi +else + ntru=false + ntru_given=false + +fi + + # Check whether --enable-addrblock was given. if test "${enable_addrblock+set}" = set; then : enableval=$enable_addrblock; addrblock_given=true @@ -6721,21 +6741,6 @@ else fi -# Check whether --enable-unit-tests was given. -if test "${enable_unit_tests+set}" = set; then : - enableval=$enable_unit_tests; unit_tests_given=true - if test x$enableval = xyes; then - unit_tests=true - else - unit_tests=false - fi -else - unit_tests=false - unit_tests_given=false - -fi - - # Check whether --enable-coverage was given. if test "${enable_coverage+set}" = set; then : enableval=$enable_coverage; coverage_given=true @@ -6815,7 +6820,7 @@ fi # =========================== if test -z "$CFLAGS"; then - CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign" + CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign" fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -16249,6 +16254,213 @@ fi done test -n "$YACC" || YACC="yacc" + + + + + + + # Find any Python interpreter. + if test -z "$PYTHON"; then + for ac_prog in python python2 python3 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON=$ac_cv_path_PYTHON +if test -n "$PYTHON"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 +$as_echo "$PYTHON" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$PYTHON" && break +done +test -n "$PYTHON" || PYTHON=":" + + fi + am_display_PYTHON=python + + + if test "$PYTHON" = :; then + : + else + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5 +$as_echo_n "checking for $am_display_PYTHON version... " >&6; } +if ${am_cv_python_version+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 +$as_echo "$am_cv_python_version" >&6; } + PYTHON_VERSION=$am_cv_python_version + + + + PYTHON_PREFIX='${prefix}' + + PYTHON_EXEC_PREFIX='${exec_prefix}' + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5 +$as_echo_n "checking for $am_display_PYTHON platform... " >&6; } +if ${am_cv_python_platform+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"` +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5 +$as_echo "$am_cv_python_platform" >&6; } + PYTHON_PLATFORM=$am_cv_python_platform + + + # Just factor out some code duplication. + am_python_setup_sysconfig="\ +import sys +# Prefer sysconfig over distutils.sysconfig, for better compatibility +# with python 3.x. See automake bug#10227. +try: + import sysconfig +except ImportError: + can_use_sysconfig = 0 +else: + can_use_sysconfig = 1 +# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: +# +try: + from platform import python_implementation + if python_implementation() == 'CPython' and sys.version[:3] == '2.7': + can_use_sysconfig = 0 +except ImportError: + pass" + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5 +$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; } +if ${am_cv_python_pythondir+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$prefix" = xNONE + then + am_py_prefix=$ac_default_prefix + else + am_py_prefix=$prefix + fi + am_cv_python_pythondir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pythondir in + $am_py_prefix*) + am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` + am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` + ;; + *) + case $am_py_prefix in + /usr|/System*) ;; + *) + am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5 +$as_echo "$am_cv_python_pythondir" >&6; } + pythondir=$am_cv_python_pythondir + + + + pkgpythondir=\${pythondir}/$PACKAGE + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5 +$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; } +if ${am_cv_python_pyexecdir+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$exec_prefix" = xNONE + then + am_py_exec_prefix=$am_py_prefix + else + am_py_exec_prefix=$exec_prefix + fi + am_cv_python_pyexecdir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pyexecdir in + $am_py_exec_prefix*) + am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` + am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` + ;; + *) + case $am_py_exec_prefix in + /usr|/System*) ;; + *) + am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5 +$as_echo "$am_cv_python_pyexecdir" >&6; } + pyexecdir=$am_cv_python_pyexecdir + + + + pkgpyexecdir=\${pyexecdir}/$PACKAGE + + + + fi + + # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 @@ -16417,10 +16629,6 @@ if test x$medcli = xtrue; then mediation=true fi -if test x$coverage = xtrue; then - unit_tests=true -fi - # =========================================== # check required libraries and header files # =========================================== @@ -17367,6 +17575,80 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +ac_fn_c_check_func "$LINENO" "qsort_r" "ac_cv_func_qsort_r" +if test "x$ac_cv_func_qsort_r" = xyes; then : + + +$as_echo "#define HAVE_QSORT_R /**/" >>confdefs.h + + # set -Werror so that we get an error for "argument ... has + # incompatible pointer type" warnings + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -Werror" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU-style qsort_r" >&5 +$as_echo_n "checking for GNU-style qsort_r... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _GNU_SOURCE + #include + int cmp (const void *a, const void *b, void *x) { return 0; } +int +main () +{ +int arr[] = { 0, 1 }; + qsort_r(arr, 2, sizeof(int), cmp, arr); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; }; + +$as_echo "#define HAVE_QSORT_R_GNU /**/" >>confdefs.h + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; }; + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD-style qsort_r" >&5 +$as_echo_n "checking for BSD-style qsort_r... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + int cmp (void *x, const void *a, const void *b) { return 0; } +int +main () +{ +int arr[] = { 0, 1 }; + qsort_r(arr, 2, sizeof(int), arr, cmp); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; }; + +$as_echo "#define HAVE_QSORT_R_BSD /**/" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; }; + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "qsort_r has unknown semantics +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS="$save_CFLAGS" + +fi + + for ac_func in prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` @@ -17379,7 +17661,7 @@ _ACEOF fi done -for ac_func in fmemopen funopen +for ac_func in fmemopen funopen mmap memrchr do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -19760,102 +20042,9 @@ $as_echo "no" >&6; } fi -fi - -if test x$unit_tests = xtrue; then - -pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CHECK" >&5 -$as_echo_n "checking for CHECK... " >&6; } - -if test -n "$CHECK_CFLAGS"; then - pkg_cv_CHECK_CFLAGS="$CHECK_CFLAGS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5 - ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_CHECK_CFLAGS=`$PKG_CONFIG --cflags "check >= 0.9.4" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi -if test -n "$CHECK_LIBS"; then - pkg_cv_CHECK_LIBS="$CHECK_LIBS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5 - ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_CHECK_LIBS=`$PKG_CONFIG --libs "check >= 0.9.4" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi - - - -if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - -if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then - _pkg_short_errors_supported=yes -else - _pkg_short_errors_supported=no -fi - if test $_pkg_short_errors_supported = yes; then - CHECK_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "check >= 0.9.4" 2>&1` - else - CHECK_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "check >= 0.9.4" 2>&1` - fi - # Put the nasty error message in config.log where it belongs - echo "$CHECK_PKG_ERRORS" >&5 - - as_fn_error $? "Package requirements (check >= 0.9.4) were not met: - -$CHECK_PKG_ERRORS - -Consider adjusting the PKG_CONFIG_PATH environment variable if you -installed software in a non-standard prefix. - -Alternatively, you may set the environment variables CHECK_CFLAGS -and CHECK_LIBS to avoid the need to call pkg-config. -See the pkg-config man page for more details." "$LINENO" 5 -elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it -is in your PATH or set the PKG_CONFIG environment variable to the full -path to pkg-config. - -Alternatively, you may set the environment variables CHECK_CFLAGS -and CHECK_LIBS to avoid the need to call pkg-config. -See the pkg-config man page for more details. - -To get pkg-config, see . -See \`config.log' for more details" "$LINENO" 5; } -else - CHECK_CFLAGS=$pkg_cv_CHECK_CFLAGS - CHECK_LIBS=$pkg_cv_CHECK_LIBS - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - -fi - - + if test x$GPRBUILD = x; then + as_fn_error $? "gprbuild not found" "$LINENO" 5 + fi fi if test x$coverage = xtrue; then @@ -20476,6 +20665,15 @@ if test x$gcm = xtrue; then fi +if test x$ntru = xtrue; then + s_plugins=${s_plugins}" ntru" + charon_plugins=${charon_plugins}" ntru" + scripts_plugins=${scripts_plugins}" ntru" + nm_plugins=${nm_plugins}" ntru" + cmd_plugins=${cmd_plugins}" ntru" + + fi + if test x$attr = xtrue; then h_plugins=${h_plugins}" attr" charon_plugins=${charon_plugins}" attr" @@ -21294,6 +21492,14 @@ else USE_AF_ALG_FALSE= fi + if test x$ntru = xtrue; then + USE_NTRU_TRUE= + USE_NTRU_FALSE='#' +else + USE_NTRU_TRUE='#' + USE_NTRU_FALSE= +fi + # charon plugins # ---------------- @@ -22231,14 +22437,6 @@ else USE_SILENT_RULES_FALSE= fi - if test x$unit_tests = xtrue; then - UNITTESTS_TRUE= - UNITTESTS_FALSE='#' -else - UNITTESTS_TRUE='#' - UNITTESTS_FALSE= -fi - if test x$coverage = xtrue; then COVERAGE_TRUE= COVERAGE_FALSE='#' @@ -22294,18 +22492,57 @@ $as_echo "#define USE_IKEV2 /**/" >>confdefs.h fi +# ==================================================== +# options for enabled modules (see conf/Makefile.am) +# ==================================================== + +strongswan_options= + +if test -z "$USE_ATTR_SQL_TRUE"; then : + strongswan_options=${strongswan_options}" pool" +fi +if test -z "$USE_CHARON_TRUE"; then : + strongswan_options=${strongswan_options}" charon charon-logging" +fi +if test -z "$USE_FILE_CONFIG_TRUE"; then : + strongswan_options=${strongswan_options}" starter" +fi +if test -z "$USE_IMV_ATTESTATION_TRUE"; then : + strongswan_options=${strongswan_options}" attest" +fi +if test -z "$USE_IMCV_TRUE"; then : + strongswan_options=${strongswan_options}" imcv" +fi +if test -z "$USE_IMV_OS_TRUE"; then : + strongswan_options=${strongswan_options}" pacman" +fi +if test -z "$USE_LIBTNCCS_TRUE"; then : + strongswan_options=${strongswan_options}" tnc" +fi +if test -z "$USE_MANAGER_TRUE"; then : + strongswan_options=${strongswan_options}" manager" +fi +if test -z "$USE_MEDSRV_TRUE"; then : + strongswan_options=${strongswan_options}" medsrv" +fi +if test -z "$USE_TOOLS_TRUE"; then : + strongswan_options=${strongswan_options}" tools" +fi + + + # ================= # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile" # ================= # build man pages # ================= -ac_config_files="$ac_config_files man/ipsec.conf.5 man/ipsec.secrets.5 man/strongswan.conf.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1" +ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1" cat >confcache <<\_ACEOF @@ -22630,6 +22867,10 @@ if test -z "${USE_AF_ALG_TRUE}" && test -z "${USE_AF_ALG_FALSE}"; then as_fn_error $? "conditional \"USE_AF_ALG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_NTRU_TRUE}" && test -z "${USE_NTRU_FALSE}"; then + as_fn_error $? "conditional \"USE_NTRU\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then as_fn_error $? "conditional \"USE_STROKE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -23094,10 +23335,6 @@ if test -z "${USE_SILENT_RULES_TRUE}" && test -z "${USE_SILENT_RULES_FALSE}"; th as_fn_error $? "conditional \"USE_SILENT_RULES\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${UNITTESTS_TRUE}" && test -z "${UNITTESTS_FALSE}"; then - as_fn_error $? "conditional \"UNITTESTS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${COVERAGE_TRUE}" && test -z "${COVERAGE_FALSE}"; then as_fn_error $? "conditional \"COVERAGE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -23507,7 +23744,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.1.1, which was +This file was extended by strongSwan $as_me 5.1.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23573,7 +23810,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.1.1 +strongSwan config.status 5.1.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -23983,6 +24220,7 @@ do "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "conf/Makefile") CONFIG_FILES="$CONFIG_FILES conf/Makefile" ;; "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;; "init/Makefile") CONFIG_FILES="$CONFIG_FILES init/Makefile" ;; "init/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd/Makefile" ;; @@ -24033,6 +24271,7 @@ do "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;; "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;; "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;; + "src/libstrongswan/plugins/ntru/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ntru/Makefile" ;; "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;; "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;; "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;; @@ -24150,9 +24389,10 @@ do "src/pt-tls-client/Makefile") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/Makefile" ;; "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; + "conf/strongswan.conf.5.head") CONFIG_FILES="$CONFIG_FILES conf/strongswan.conf.5.head" ;; + "conf/strongswan.conf.5.tail") CONFIG_FILES="$CONFIG_FILES conf/strongswan.conf.5.tail" ;; "man/ipsec.conf.5") CONFIG_FILES="$CONFIG_FILES man/ipsec.conf.5" ;; "man/ipsec.secrets.5") CONFIG_FILES="$CONFIG_FILES man/ipsec.secrets.5" ;; - "man/strongswan.conf.5") CONFIG_FILES="$CONFIG_FILES man/strongswan.conf.5" ;; "src/charon-cmd/charon-cmd.8") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/charon-cmd.8" ;; "src/pki/man/pki.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki.1" ;; "src/pki/man/pki---gen.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---gen.1" ;; diff --git a/configure.ac b/configure.ac index df1dc6847..8a925c29a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ # -# Copyright (C) 2007-2013 Tobias Brunner +# Copyright (C) 2007-2014 Tobias Brunner # Copyright (C) 2006-2013 Andreas Steffen # Copyright (C) 2006-2013 Martin Willi # Hochschule fuer Technik Rapperswil @@ -19,8 +19,18 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.1.1]) -AM_INIT_AUTOMAKE([tar-ustar subdir-objects]) +AC_INIT([strongSwan],[5.1.2]) +AM_INIT_AUTOMAKE(m4_esyscmd([ + echo tar-ustar + echo subdir-objects + case `automake --version | head -n 1` in + *" 1.9"*);; + *" 1.10"*);; + *" 1.11"*);; + # don't use parallel test harness in 1.12 and up + *) echo serial-tests;; + esac +])) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) AC_CONFIG_MACRO_DIR([m4/config]) AC_CONFIG_HEADERS([config.h]) @@ -229,6 +239,7 @@ ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.]) ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.]) ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.]) ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.]) +ARG_ENABL_SET([ntru], [enables the NTRU crypto plugin.]) ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.]) ARG_ENABL_SET([unity], [enables Cisco Unity extension plugin.]) ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.]) @@ -251,7 +262,6 @@ ARG_ENABL_SET([vstr], [enforce using the Vstr string library to replac ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.]) ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.]) ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.]) -ARG_ENABL_SET([unit-tests], [enable unit tests using the check test framework.]) ARG_ENABL_SET([coverage], [enable lcov coverage report generation.]) ARG_ENABL_SET([tkm], [enable Trusted Key Manager support.]) ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.]) @@ -274,7 +284,7 @@ fi # =========================== if test -z "$CFLAGS"; then - CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign" + CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign" fi AC_PROG_CC AM_PROG_CC_C_O @@ -292,6 +302,7 @@ AC_PROG_EGREP AC_PROG_AWK AC_PROG_LEX AC_PROG_YACC +AM_PATH_PYTHON(,,[:]) AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) @@ -376,10 +387,6 @@ if test x$medcli = xtrue; then mediation=true fi -if test x$coverage = xtrue; then - unit_tests=true -fi - # =========================================== # check required libraries and header files # =========================================== @@ -488,8 +495,45 @@ AC_CHECK_FUNC( )] ) +AC_CHECK_FUNC( + [qsort_r], + [ + AC_DEFINE([HAVE_QSORT_R], [], [have qsort_r()]) + # set -Werror so that we get an error for "argument ... has + # incompatible pointer type" warnings + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -Werror" + AC_MSG_CHECKING([for GNU-style qsort_r]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#define _GNU_SOURCE + #include + int cmp (const void *a, const void *b, void *x) { return 0; }]], + [[int arr[] = { 0, 1 }; + qsort_r(arr, 2, sizeof(int), cmp, arr);]])], + [AC_MSG_RESULT([yes]); + AC_DEFINE([HAVE_QSORT_R_GNU], [], [have GNU-style qsort_r()])], + [ + AC_MSG_RESULT([no]); + AC_MSG_CHECKING([for BSD-style qsort_r]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include + int cmp (void *x, const void *a, const void *b) { return 0; }]], + [[int arr[] = { 0, 1 }; + qsort_r(arr, 2, sizeof(int), arr, cmp);]])], + [AC_MSG_RESULT([yes]); + AC_DEFINE([HAVE_QSORT_R_BSD], [], [have BSD-style qsort_r()])], + [AC_MSG_RESULT([no]); + AC_MSG_FAILURE([qsort_r has unknown semantics])]) + ]) + CFLAGS="$save_CFLAGS" + ], + [] +) + AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r) -AC_CHECK_FUNCS(fmemopen funopen) +AC_CHECK_FUNCS(fmemopen funopen mmap memrchr) AC_CHECK_HEADERS(sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h) AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h) @@ -633,7 +677,7 @@ AC_CHECK_FUNC( if test x$vstr = xtrue; then AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[]) - AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks]) + AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks]) builtin_printf=false fi @@ -933,12 +977,9 @@ CFLAGS="$CFLAGS -include `pwd`/config.h" if test x$tkm = xtrue; then AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) -fi - -if test x$unit_tests = xtrue; then - PKG_CHECK_MODULES(CHECK, [check >= 0.9.4]) - AC_SUBST(CHECK_CFLAGS) - AC_SUBST(CHECK_LIBS) + if test x$GPRBUILD = x; then + AC_MSG_ERROR([gprbuild not found]) + fi fi if test x$coverage = xtrue; then @@ -1034,6 +1075,7 @@ ADD_PLUGIN([hmac], [s charon scripts nm cmd]) ADD_PLUGIN([ctr], [s charon scripts nm cmd]) ADD_PLUGIN([ccm], [s charon scripts nm cmd]) ADD_PLUGIN([gcm], [s charon scripts nm cmd]) +ADD_PLUGIN([ntru], [s charon scripts nm cmd]) ADD_PLUGIN([attr], [h charon]) ADD_PLUGIN([attr-sql], [h charon]) ADD_PLUGIN([load-tester], [c charon]) @@ -1171,6 +1213,7 @@ AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue) AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue) AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue) AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue) +AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue) # charon plugins # ---------------- @@ -1296,7 +1339,6 @@ AM_CONDITIONAL(USE_PTS, test x$pts = xtrue) AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers) AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue) AM_CONDITIONAL(USE_SILENT_RULES, test x$enable_silent_rules = xyes) -AM_CONDITIONAL(UNITTESTS, test x$unit_tests = xtrue) AM_CONDITIONAL(COVERAGE, test x$coverage = xtrue) AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue) AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue) @@ -1321,12 +1363,32 @@ if test x$ikev2 = xtrue; then AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol]) fi +# ==================================================== +# options for enabled modules (see conf/Makefile.am) +# ==================================================== + +strongswan_options= + +AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"]) +AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"]) +AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"]) +AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"]) +AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"]) +AM_COND_IF([USE_IMV_OS], [strongswan_options=${strongswan_options}" pacman"]) +AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"]) +AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"]) +AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"]) +AM_COND_IF([USE_TOOLS], [strongswan_options=${strongswan_options}" tools"]) + +AC_SUBST(strongswan_options) + # ================= # build Makefiles # ================= AC_CONFIG_FILES([ Makefile + conf/Makefile man/Makefile init/Makefile init/systemd/Makefile @@ -1377,6 +1439,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile + src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile @@ -1501,9 +1564,10 @@ AC_CONFIG_FILES([ # ================= AC_CONFIG_FILES([ + conf/strongswan.conf.5.head + conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 - man/strongswan.conf.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 diff --git a/init/Makefile.in b/init/Makefile.in index 3b2626218..c9ace238e 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -192,8 +192,6 @@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ -CHECK_CFLAGS = @CHECK_CFLAGS@ -CHECK_LIBS = @CHECK_LIBS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ @@ -261,6 +259,11 @@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -349,12 +352,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ @@ -369,6 +376,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in index 822aca11f..766402660 100644 --- a/init/systemd/Makefile.in +++ b/init/systemd/Makefile.in @@ -161,8 +161,6 @@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ -CHECK_CFLAGS = @CHECK_CFLAGS@ -CHECK_LIBS = @CHECK_LIBS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ @@ -230,6 +228,11 @@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -318,12 +321,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ @@ -338,6 +345,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ diff --git a/man/Makefile.am b/man/Makefile.am index 266ef7d3a..fbc78b9ac 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -1,6 +1,5 @@ man_MANS = \ ipsec.conf.5 \ - ipsec.secrets.5 \ - strongswan.conf.5 + ipsec.secrets.5 CLEANFILES = $(man_MANS) diff --git a/man/Makefile.in b/man/Makefile.in index 9c970cdcd..d4a38b10e 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -79,8 +79,7 @@ build_triplet = @build@ host_triplet = @host@ subdir = man DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in \ - $(srcdir)/strongswan.conf.5.in + $(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -96,7 +95,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 +CONFIG_CLEAN_FILES = ipsec.conf.5 ipsec.secrets.5 CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -164,8 +163,6 @@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ -CHECK_CFLAGS = @CHECK_CFLAGS@ -CHECK_LIBS = @CHECK_LIBS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ @@ -233,6 +230,11 @@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -321,12 +323,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ @@ -341,6 +347,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -353,8 +360,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ man_MANS = \ ipsec.conf.5 \ - ipsec.secrets.5 \ - strongswan.conf.5 + ipsec.secrets.5 CLEANFILES = $(man_MANS) all: all-am @@ -394,8 +400,6 @@ ipsec.conf.5: $(top_builddir)/config.status $(srcdir)/ipsec.conf.5.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ ipsec.secrets.5: $(top_builddir)/config.status $(srcdir)/ipsec.secrets.5.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ -strongswan.conf.5: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.in - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: -rm -f *.lo diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 92be67000..a0be75536 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -386,7 +386,9 @@ retransmission timeout applies, as every exchange is used to detect dead peers. .TP .BR inactivity " =