From 05ddd767992d68bb38c7f16ece142e8c2e9ae016 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Sat, 1 Apr 2017 16:26:44 +0200 Subject: New upstream version 5.5.2 --- conf/Makefile.am | 5 ++- conf/Makefile.in | 7 +++- conf/options/aikpub2.conf | 7 ---- conf/options/aikpub2.opt | 2 - conf/options/charon.conf | 9 +++++ conf/options/charon.opt | 20 ++++++++++ conf/plugins/addrblock.conf | 11 +++++ conf/plugins/addrblock.opt | 8 ++++ conf/plugins/bypass-lan.conf | 17 ++++++++ conf/plugins/bypass-lan.opt | 8 ++++ conf/plugins/kernel-netlink.conf | 6 +++ conf/plugins/kernel-netlink.opt | 17 ++++++++ conf/plugins/pkcs11.conf | 16 ++++++-- conf/plugins/pkcs11.opt | 10 ++++- conf/plugins/revocation.conf | 14 +++++++ conf/plugins/revocation.opt | 7 ++++ conf/plugins/tpm.conf | 11 +++++ conf/plugins/tpm.opt | 2 + conf/strongswan.conf.5.main | 86 ++++++++++++++++++++++++++++++++++++---- 19 files changed, 238 insertions(+), 25 deletions(-) delete mode 100644 conf/options/aikpub2.conf delete mode 100644 conf/options/aikpub2.opt create mode 100644 conf/plugins/addrblock.conf create mode 100644 conf/plugins/addrblock.opt create mode 100644 conf/plugins/bypass-lan.conf create mode 100644 conf/plugins/bypass-lan.opt create mode 100644 conf/plugins/revocation.conf create mode 100644 conf/plugins/revocation.opt create mode 100644 conf/plugins/tpm.conf create mode 100644 conf/plugins/tpm.opt (limited to 'conf') diff --git a/conf/Makefile.am b/conf/Makefile.am index 4588b0999..eb5c9c2eb 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -9,7 +9,6 @@ pluginstemplatedir = $(templatesdir)/plugins options = \ options/aikgen.opt \ - options/aikpub2.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ @@ -28,10 +27,12 @@ options = \ options/tnc.opt plugins = \ + plugins/addrblock.opt \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ plugins/bliss.opt \ + plugins/bypass-lan.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -80,6 +81,7 @@ plugins = \ plugins/radattr.opt \ plugins/random.opt \ plugins/resolve.opt \ + plugins/revocation.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ @@ -90,6 +92,7 @@ plugins = \ plugins/tnc-pdp.opt \ plugins/tnccs-11.opt \ plugins/tnccs-20.opt \ + plugins/tpm.opt \ plugins/unbound.opt \ plugins/updown.opt \ plugins/vici.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index e6d66a25a..70e1b01ec 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -312,7 +312,6 @@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -347,6 +346,7 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -407,7 +407,6 @@ optionstemplatedir = $(templatesdir)/strongswan.d pluginstemplatedir = $(templatesdir)/plugins options = \ options/aikgen.opt \ - options/aikpub2.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ @@ -426,10 +425,12 @@ options = \ options/tnc.opt plugins = \ + plugins/addrblock.opt \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ plugins/bliss.opt \ + plugins/bypass-lan.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -478,6 +479,7 @@ plugins = \ plugins/radattr.opt \ plugins/random.opt \ plugins/resolve.opt \ + plugins/revocation.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ @@ -488,6 +490,7 @@ plugins = \ plugins/tnc-pdp.opt \ plugins/tnccs-11.opt \ plugins/tnccs-20.opt \ + plugins/tpm.opt \ plugins/unbound.opt \ plugins/updown.opt \ plugins/vici.opt \ diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf deleted file mode 100644 index fd48f2c7a..000000000 --- a/conf/options/aikpub2.conf +++ /dev/null @@ -1,7 +0,0 @@ -aikpub2 { - - # Plugins to load in aikpub2 tool. - # load = - -} - diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt deleted file mode 100644 index 6a755d211..000000000 --- a/conf/options/aikpub2.opt +++ /dev/null @@ -1,2 +0,0 @@ -aikpub2.load = - Plugins to load in aikpub2 tool. diff --git a/conf/options/charon.conf b/conf/options/charon.conf index f72041e6a..1b5d52d02 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -164,6 +164,9 @@ charon { # will be allocated. # port_nat_t = 4500 + # Wether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + # Prefer locally configured proposals for IKE/IPsec over supplied ones as # responder (disabling this can avoid keying retries due to # INVALID_KE_PAYLOAD notifies). @@ -236,6 +239,12 @@ charon { # Whether to enable constraints against IKEv2 signature schemes. # signature_authentication_constraints = yes + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + # Number of worker threads in charon. # threads = 16 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 6e0b37c57..4c4311e81 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -260,6 +260,16 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_best_path = no + Wether to prefer updating SAs to the path with the best route. + + By default, charon keeps SAs on the routing path with addresses it + previously used if that path is still usable. By setting this option to + yes, it tries more aggressively to update SAs with MOBIKE on routing + priority changes using the cheapest path. This adds more noise, but allows + to dynamically adapt SAs to routing priority changes. This option has no + effect if MOBIKE is not supported or disabled. + charon.prefer_configured_proposals = yes Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD @@ -340,6 +350,16 @@ charon.signature_authentication_constraints = yes certificate chain, are also used as constraints against the signature scheme used by peers during IKEv2. +charon.spi_min = 0xc0000000 + The lower limit for SPIs requested from the kernel for IPsec SAs. + + The lower limit for SPIs requested from the kernel for IPsec SAs. Should not + be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved + by IANA. + +charon.spi_max = 0xcfffffff + The upper limit for SPIs requested from the kernel for IPsec SAs. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. diff --git a/conf/plugins/addrblock.conf b/conf/plugins/addrblock.conf new file mode 100644 index 000000000..274961341 --- /dev/null +++ b/conf/plugins/addrblock.conf @@ -0,0 +1,11 @@ +addrblock { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to strictly require addrblock extension in subject certificates. + # strict = yes + +} + diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt new file mode 100644 index 000000000..e35e4c5ad --- /dev/null +++ b/conf/plugins/addrblock.opt @@ -0,0 +1,8 @@ +charon.plugins.addrblock.strict = yes + Whether to strictly require addrblock extension in subject certificates. + + If set to yes, a subject certificate without an addrblock extension is + rejected if the issuer certificate has such an addrblock extension. If set + to no, subject certificates issued without the addrblock extension are + accepted without any traffic selector checks and no policy is enforced + by the plugin. diff --git a/conf/plugins/bypass-lan.conf b/conf/plugins/bypass-lan.conf new file mode 100644 index 000000000..ad496db67 --- /dev/null +++ b/conf/plugins/bypass-lan.conf @@ -0,0 +1,17 @@ +bypass-lan { + + # A comma-separated list of network interfaces for which connected subnets + # should be ignored, if interfaces_use is specified this option has no + # effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces for which connected subnets + # should be considered. All other interfaces are ignored. + # interfaces_use = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/bypass-lan.opt b/conf/plugins/bypass-lan.opt new file mode 100644 index 000000000..8c72facde --- /dev/null +++ b/conf/plugins/bypass-lan.opt @@ -0,0 +1,8 @@ +charon.plugins.bypass-lan.interfaces_ignore + A comma-separated list of network interfaces for which connected subnets + should be ignored, if **interfaces_use** is specified this option has no + effect. + +charon.plugins.bypass-lan.interfaces_use + A comma-separated list of network interfaces for which connected subnets + should be considered. All other interfaces are ignored. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 47f7d58bc..22d94ee38 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -3,6 +3,9 @@ kernel-netlink { # Buffer size for received Netlink messages. # buflen = + # Force maximum Netlink receive buffer on Netlink socket. + # force_receive_buffer_size = no + # Firewall mark to set on the routing rule that directs traffic to our # routing table. # fwmark = @@ -32,6 +35,9 @@ kernel-netlink { # Whether to use port or socket based IKE XFRM bypass policies. # port_bypass = no + # Maximum Netlink socket receive buffer in bytes. + # receive_buffer_size = 0 + # Number of Netlink message retransmissions to send on timeout. # retries = 0 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 77ba6ea97..1136af1be 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -1,6 +1,14 @@ charon.plugins.kernel-netlink.buflen = Buffer size for received Netlink messages. +charon.plugins.kernel-netlink.force_receive_buffer_size = no + Force maximum Netlink receive buffer on Netlink socket. + + If the maximum Netlink socket receive buffer in bytes set by + _receive_buffer_size_ exceeds the system-wide maximum from + /proc/sys/net/core/rmem_max, this option can be used to override the limit. + Enabling this option requires special priviliges (CAP_NET_ADMIN). + charon.plugins.kernel-netlink.fwmark = Firewall mark to set on the routing rule that directs traffic to our routing table. @@ -39,6 +47,15 @@ charon.plugins.kernel-netlink.port_bypass = no port based policies use global XFRM bypass policies for the used IKE UDP ports. +charon.plugins.kernel-netlink.receive_buffer_size = 0 + Maximum Netlink socket receive buffer in bytes. + + Maximum Netlink socket receive buffer in bytes. This value controls how many + bytes of Netlink messages can be received on a Netlink socket. The default + value is set by /proc/sys/net/core/rmem_default. The specified value cannot + exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless + _force_receive_buffer_size_ is enabled. + charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf index 35248c2ce..c786a9abb 100644 --- a/conf/plugins/pkcs11.conf +++ b/conf/plugins/pkcs11.conf @@ -4,9 +4,6 @@ pkcs11 { # priority of this plugin. load = yes - # Whether to load certificates from tokens. - # load_certs = yes - # Reload certificates from all tokens if charon receives a SIGHUP. # reload_certs = no @@ -31,6 +28,19 @@ pkcs11 { # List of available PKCS#11 modules. modules { + { + + # Whether to automatically load certificates from tokens. + # load_certs = yes + + # Whether OS locking should be enabled for this module. + # os_locking = no + + # Full path to the shared object file of this PKCS#11 module. + # path = + + } + } } diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt index f5a202844..8f328f087 100644 --- a/conf/plugins/pkcs11.opt +++ b/conf/plugins/pkcs11.opt @@ -1,8 +1,14 @@ charon.plugins.pkcs11.modules {} List of available PKCS#11 modules. -charon.plugins.pkcs11.load_certs = yes - Whether to load certificates from tokens. +charon.plugins.pkcs11.modules..path = + Full path to the shared object file of this PKCS#11 module. + +charon.plugins.pkcs11.modules..os_locking = no + Whether OS locking should be enabled for this module. + +charon.plugins.pkcs11.modules..load_certs = yes + Whether to automatically load certificates from tokens. charon.plugins.pkcs11.reload_certs = no Reload certificates from all tokens if charon receives a SIGHUP. diff --git a/conf/plugins/revocation.conf b/conf/plugins/revocation.conf new file mode 100644 index 000000000..ca24a640d --- /dev/null +++ b/conf/plugins/revocation.conf @@ -0,0 +1,14 @@ +revocation { + + # Whether CRL validation should be enabled. + # enable_crl = yes + + # Whether OCSP validation should be enabled. + # enable_ocsp = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt new file mode 100644 index 000000000..5d2b8c026 --- /dev/null +++ b/conf/plugins/revocation.opt @@ -0,0 +1,7 @@ +charon.plugins.revocation.enable_ocsp = yes + Whether OCSP validation should be enabled. + +charon.plugins.revocation.enable_crl = yes + Whether CRL validation should be enabled. + + diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf new file mode 100644 index 000000000..222bb7b0a --- /dev/null +++ b/conf/plugins/tpm.conf @@ -0,0 +1,11 @@ +tpm { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether the TPM should be used as RNG. + # use_rng = no + +} + diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt new file mode 100644 index 000000000..cd666dde8 --- /dev/null +++ b/conf/plugins/tpm.opt @@ -0,0 +1,2 @@ +charon.plugins.tpm.use_rng = no + Whether the TPM should be used as RNG. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index c0ecbb7ce..72ab3a77a 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -2,10 +2,6 @@ .BR aikgen.load " []" Plugins to load in ipsec aikgen tool. -.TP -.BR aikpub2.load " []" -Plugins to load in aikpub2 tool. - .TP .BR attest.database " []" File measurement information database URI. If it contains a password, make sure @@ -401,6 +397,13 @@ WINS servers assigned to peer via configuration payload (CP). .BR charon.nbns2 " []" WINS servers assigned to peer via configuration payload (CP). +.TP +.BR charon.plugins.addrblock.strict " [yes]" +If set to yes, a subject certificate without an addrblock extension is rejected +if the issuer certificate has such an addrblock extension. If set to no, subject +certificates issued without the addrblock extension are accepted without any +traffic selector checks and no policy is enforced by the plugin. + .TP .BR charon.plugins.android_log.loglevel " [1]" Loglevel for logging to Android specific logger. @@ -441,6 +444,18 @@ Enable logging of SQL IP pool leases. .BR charon.plugins.bliss.use_bliss_b " [yes]" Use the enhanced BLISS\-B key generation and signature algorithm. +.TP +.BR charon.plugins.bypass-lan.interfaces_ignore " []" +A comma\-separated list of network interfaces for which connected subnets should +be ignored, if +.RB "" "interfaces_use" "" +is specified this option has no effect. + +.TP +.BR charon.plugins.bypass-lan.interfaces_use " []" +A comma\-separated list of network interfaces for which connected subnets should +be considered. All other interfaces are ignored. + .TP .BR charon.plugins.certexpire.csv.cron " []" Cron style string specifying CSV export times. @@ -921,6 +936,14 @@ to circumvent that problem. .BR charon.plugins.kernel-netlink.buflen " []" Buffer size for received Netlink messages. +.TP +.BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]" +If the maximum Netlink socket receive buffer in bytes set by +.RI "" "receive_buffer_size" "" +exceeds the system\-wide maximum from +/proc/sys/net/core/rmem_max, this option can be used to override the limit. +Enabling this option requires special priviliges (CAP_NET_ADMIN). + .TP .BR charon.plugins.kernel-netlink.fwmark " []" Firewall mark to set on the routing rule that directs traffic to our routing @@ -961,6 +984,15 @@ policies are used to exempt IKE traffic from XFRM processing. The default socket based policies are directly tied to the IKE UDP sockets, port based policies use global XFRM bypass policies for the used IKE UDP ports. +.TP +.BR charon.plugins.kernel-netlink.receive_buffer_size " [0]" +Maximum Netlink socket receive buffer in bytes. This value controls how many +bytes of Netlink messages can be received on a Netlink socket. The default value +is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the +system\-wide maximum from /proc/sys/net/core/rmem_max, unless +.RI "" "force_receive_buffer_size" "" +is enabled. + .TP .BR charon.plugins.kernel-netlink.retries " [0]" Number of Netlink message retransmissions to send on timeout. @@ -1263,15 +1295,23 @@ Section to enable requesting P\-CSCF server addresses for individual connections server addresses. Requests will be sent for addresses of the same families for which internal IPs are requested. -.TP -.BR charon.plugins.pkcs11.load_certs " [yes]" -Whether to load certificates from tokens. - .TP .B charon.plugins.pkcs11.modules .br List of available PKCS#11 modules. +.TP +.BR charon.plugins.pkcs11.modules..load_certs " [yes]" +Whether to automatically load certificates from tokens. + +.TP +.BR charon.plugins.pkcs11.modules..os_locking " [no]" +Whether OS locking should be enabled for this module. + +.TP +.BR charon.plugins.pkcs11.modules..path " []" +Full path to the shared object file of this PKCS#11 module. + .TP .BR charon.plugins.pkcs11.reload_certs " [no]" Reload certificates from all tokens if charon receives a SIGHUP. @@ -1337,6 +1377,14 @@ should have a high priority according to the order defined in .RB "" "interface\-order" "(5)." +.TP +.BR charon.plugins.revocation.enable_crl " [yes]" +Whether CRL validation should be enabled. + +.TP +.BR charon.plugins.revocation.enable_ocsp " [yes]" +Whether OCSP validation should be enabled. + .TP .BR charon.plugins.socket-default.fwmark " []" Firewall mark to set on outbound packets. @@ -1522,6 +1570,10 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set. .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]" Send a PB\-TNC batch with a modified PB\-TNC version. +.TP +.BR charon.plugins.tpm.use_rng " [no]" +Whether the TPM should be used as RNG. + .TP .BR charon.plugins.unbound.dlv_anchors " []" File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses @@ -1587,6 +1639,15 @@ allocated. Has to be different from otherwise a random port will be allocated. +.TP +.BR charon.prefer_best_path " [no]" +By default, charon keeps SAs on the routing path with addresses it previously +used if that path is still usable. By setting this option to yes, it tries more +aggressively to update SAs with MOBIKE on routing priority changes using the +cheapest path. This adds more noise, but allows to dynamically adapt SAs to +routing priority changes. This option has no effect if MOBIKE is not supported +or disabled. + .TP .BR charon.prefer_configured_proposals " [yes]" Prefer locally configured proposals for IKE/IPsec over supplied ones as @@ -1694,6 +1755,15 @@ used as constraints against signature schemes employed in the certificate chain, are also used as constraints against the signature scheme used by peers during IKEv2. +.TP +.BR charon.spi_max " [0xcfffffff]" +The upper limit for SPIs requested from the kernel for IPsec SAs. + +.TP +.BR charon.spi_min " [0xc0000000]" +The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be +set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA. + .TP .B charon.start-scripts .br -- cgit v1.2.3