From 25663e04c3ab01ef8dc9f906608282319cfea2db Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 20 Oct 2016 16:18:38 +0200 Subject: New upstream version 5.5.1 --- conf/Makefile.am | 2 ++ conf/Makefile.in | 7 ++-- conf/options/aikpub2.conf | 7 ++++ conf/options/aikpub2.opt | 2 ++ conf/options/charon-nm.conf | 8 +++++ conf/options/charon-nm.opt | 3 ++ conf/options/charon.conf | 15 ++++++--- conf/options/charon.opt | 15 ++++++--- conf/plugins/kernel-netlink.conf | 27 +++++++++++++++- conf/plugins/kernel-netlink.opt | 43 ++++++++++++++++++++++--- conf/strongswan.conf.5.main | 69 ++++++++++++++++++++++++++++++++++++---- 11 files changed, 174 insertions(+), 24 deletions(-) create mode 100644 conf/options/aikpub2.conf create mode 100644 conf/options/aikpub2.opt create mode 100644 conf/options/charon-nm.conf create mode 100644 conf/options/charon-nm.opt (limited to 'conf') diff --git a/conf/Makefile.am b/conf/Makefile.am index b7edaa8ee..4588b0999 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -9,9 +9,11 @@ pluginstemplatedir = $(templatesdir)/plugins options = \ options/aikgen.opt \ + options/aikpub2.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ + options/charon-nm.opt \ options/charon-systemd.opt \ options/imcv.opt \ options/imv_policy_manager.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index 6804d91e0..e6d66a25a 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -305,7 +305,6 @@ clearsilver_LIBS = @clearsilver_LIBS@ cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ @@ -339,8 +338,6 @@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ mandir = @mandir@ medsrv_plugins = @medsrv_plugins@ @@ -394,6 +391,8 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ @@ -408,9 +407,11 @@ optionstemplatedir = $(templatesdir)/strongswan.d pluginstemplatedir = $(templatesdir)/plugins options = \ options/aikgen.opt \ + options/aikpub2.opt \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ + options/charon-nm.opt \ options/charon-systemd.opt \ options/imcv.opt \ options/imv_policy_manager.opt \ diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf new file mode 100644 index 000000000..fd48f2c7a --- /dev/null +++ b/conf/options/aikpub2.conf @@ -0,0 +1,7 @@ +aikpub2 { + + # Plugins to load in aikpub2 tool. + # load = + +} + diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt new file mode 100644 index 000000000..6a755d211 --- /dev/null +++ b/conf/options/aikpub2.opt @@ -0,0 +1,2 @@ +aikpub2.load = + Plugins to load in aikpub2 tool. diff --git a/conf/options/charon-nm.conf b/conf/options/charon-nm.conf new file mode 100644 index 000000000..85d64480d --- /dev/null +++ b/conf/options/charon-nm.conf @@ -0,0 +1,8 @@ +charon-nm { + + # Directory from which to load CA certificates if no certificate is + # configured. + # ca_dir = + +} + diff --git a/conf/options/charon-nm.opt b/conf/options/charon-nm.opt new file mode 100644 index 000000000..6372934bd --- /dev/null +++ b/conf/options/charon-nm.opt @@ -0,0 +1,3 @@ +charon-nm.ca_dir = + Directory from which to load CA certificates if no certificate is + configured. diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 78411250e..f72041e6a 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -7,6 +7,12 @@ charon { # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 + # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should + # be saved under a unique file name derived from the public key of the + # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + # Whether relations in validated certificate chains should be cached in # memory. # cert_cache = yes @@ -51,10 +57,11 @@ charon { # follow_redirects = yes # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment - # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for - # address family specific default values). If specified this limit is - # used for both IPv4 and IPv6. - # fragment_size = 0 + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 # Name of the group the daemon changes to after startup. # group = diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 3970012d2..6e0b37c57 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -30,6 +30,12 @@ charon.cert_cache = yes Whether relations in validated certificate chains should be cached in memory. +charon.cache_crls = no + Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should + be saved under a unique file name derived from the public key of the + Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or + **/etc/swanctl/x509crl** (vici), respectively. + charon.cisco_unity = no Send Cisco Unity vendor ID payload (IKEv1 only). @@ -100,11 +106,12 @@ charon.flush_auth_cfg = no charon.follow_redirects = yes Whether to follow IKEv2 redirects (RFC 5685). -charon.fragment_size = 0 +charon.fragment_size = 1280 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment - when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for - address family specific default values). If specified this limit is used - for both IPv4 and IPv6. + when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + to 1280 (use 0 for address family specific default values, which uses a + lower value for IPv4). If specified this limit is used for both IPv4 and + IPv6. charon.group Name of the group the daemon changes to after startup. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 3997dc7d9..47f7d58bc 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -46,8 +46,33 @@ kernel-netlink { # Netlink message retransmission timeout, 0 to disable retransmissions. # timeout = 0 - # Lifetime of XFRM acquire state in kernel. + # Lifetime of XFRM acquire state and allocated SPIs in kernel. # xfrm_acq_expires = 165 + # XFRM policy hashing threshold configuration for IPv4 and IPv6. + spdh_thresh { + + ipv4 { + + # Local subnet XFRM policy hashing threshold for IPv4. + # lbits = 32 + + # Remote subnet XFRM policy hashing threshold for IPv4. + # rbits = 32 + + } + + ipv6 { + + # Local subnet XFRM policy hashing threshold for IPv6. + # lbits = 128 + + # Remote subnet XFRM policy hashing threshold for IPv6. + # rbits = 128 + + } + + } + } diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 6adefd8de..77ba6ea97 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -51,6 +51,35 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. +charon.plugins.kernel-netlink.spdh_thresh {} + XFRM policy hashing threshold configuration for IPv4 and IPv6. + + XFRM policy hashing threshold configuration for IPv4 and IPv6. + + The section defines hashing thresholds to configure in the kernel during + daemon startup. Each address family takes a threshold for the local subnet + of an IPsec policy (src in out-policies, dst in in- and forward-policies) + and the remote subnet (dst in out-policies, src in in- and + forward-policies). + + If the subnet has more or equal net bits than the threshold, the first + threshold bits are used to calculate a hash to lookup the policy. + + Policy hashing thresholds are not supported before Linux 3.18 and might + conflict with socket policies before Linux 4.8. + +charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32 + Local subnet XFRM policy hashing threshold for IPv4. + +charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32 + Remote subnet XFRM policy hashing threshold for IPv4. + +charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128 + Local subnet XFRM policy hashing threshold for IPv6. + +charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128 + Remote subnet XFRM policy hashing threshold for IPv6. + charon.plugins.kernel-netlink.retries = 0 Number of Netlink message retransmissions to send on timeout. @@ -61,8 +90,12 @@ charon.plugins.kernel-netlink.ignore_retransmit_errors = no Whether to ignore errors potentially resulting from a retransmission. charon.plugins.kernel-netlink.xfrm_acq_expires = 165 - Lifetime of XFRM acquire state in kernel. - - Lifetime of XFRM acquire state in kernel. The value gets written to - /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM - acquire messages sent. + Lifetime of XFRM acquire state and allocated SPIs in kernel. + + Lifetime of XFRM acquire state created by the kernel when traffic matches a + trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. + Indirectly controls the delay between XFRM acquire messages triggered by the + kernel for a trap policy. The same value is used as timeout for SPIs + allocated by the kernel. The default value equals the default total + retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION + in **strongswan.conf**(5). diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 3d03f2058..c0ecbb7ce 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -2,6 +2,10 @@ .BR aikgen.load " []" Plugins to load in ipsec aikgen tool. +.TP +.BR aikpub2.load " []" +Plugins to load in aikpub2 tool. + .TP .BR attest.database " []" File measurement information database URI. If it contains a password, make sure @@ -49,6 +53,16 @@ SonicWall boxes). .BR charon.block_threshold " [5]" Maximum number of half\-open IKE_SAs for a single peer IP. +.TP +.BR charon.cache_crls " [no]" +Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be +saved under a unique file name derived from the public key of the Certification +Authority (CA) to +.RB "" "/etc/ipsec.d/crls" "" +(stroke) or +.RB "" "/etc/swanctl/x509crl" "" +(vici), respectively. + .TP .BR charon.cert_cache " [yes]" Whether relations in validated certificate chains should be cached in memory. @@ -188,11 +202,11 @@ conflict with plugins that later need access to e.g. the used certificates. Whether to follow IKEv2 redirects (RFC 5685). .TP -.BR charon.fragment_size " [0]" +.BR charon.fragment_size " [1280]" Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when -using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address -family specific default values). If specified this limit is used for both -IPv4 and IPv6. +using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 +(use 0 for address family specific default values, which uses a lower value for +IPv4). If specified this limit is used for both IPv4 and IPv6. .TP .BR charon.group " []" @@ -961,15 +975,52 @@ Whether to set protocol and ports in the selector installed on transport mode IPsec SAs in the kernel. While doing so enforces policies for inbound traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. +.TP +.B charon.plugins.kernel-netlink.spdh_thresh +.br +XFRM policy hashing threshold configuration for IPv4 and IPv6. + +The section defines hashing thresholds to configure in the kernel during daemon +startup. Each address family takes a threshold for the local subnet of an IPsec +policy (src in out\-policies, dst in in\- and forward\-policies) and the remote +subnet (dst in out\-policies, src in in\- and forward\-policies). + +If the subnet has more or equal net bits than the threshold, the first threshold +bits are used to calculate a hash to lookup the policy. + +Policy hashing thresholds are not supported before Linux 3.18 and might conflict +with socket policies before Linux 4.8. + +.TP +.BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits " [32]" +Local subnet XFRM policy hashing threshold for IPv4. + +.TP +.BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits " [32]" +Remote subnet XFRM policy hashing threshold for IPv4. + +.TP +.BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits " [128]" +Local subnet XFRM policy hashing threshold for IPv6. + +.TP +.BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits " [128]" +Remote subnet XFRM policy hashing threshold for IPv6. + .TP .BR charon.plugins.kernel-netlink.timeout " [0]" Netlink message retransmission timeout, 0 to disable retransmissions. .TP .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" -Lifetime of XFRM acquire state in kernel. The value gets written to -/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM -acquire messages sent. +Lifetime of XFRM acquire state created by the kernel when traffic matches a trap +policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. +Indirectly controls the delay between XFRM acquire messages triggered by the +kernel for a trap policy. The same value is used as timeout for SPIs allocated +by the kernel. The default value equals the default total retransmission timeout +for IKE messages, see IKEv2 RETRANSMISSION in +.RB "" "strongswan.conf" "(5)." + .TP .BR charon.plugins.kernel-pfkey.events_buffer_size " [0]" @@ -1730,6 +1781,10 @@ Name of the user the daemon changes to after startup. .BR charon.x509.enforce_critical " [yes]" Discard certificates with unsupported or unknown critical extensions. +.TP +.BR charon-nm.ca_dir " []" +Directory from which to load CA certificates if no certificate is configured. + .TP .B charon-systemd.journal .br -- cgit v1.2.3