From 94218f4dc079e5fcf76b3468b9e40072181246f2 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@corsac.net>
Date: Mon, 19 Feb 2018 18:17:21 +0100
Subject: New upstream version 5.6.2

---
 conf/Makefile.am                 |  1 +
 conf/Makefile.in                 |  1 +
 conf/options/charon.conf         |  6 ++---
 conf/options/charon.opt          |  2 +-
 conf/plugins/ha.opt              |  7 ++++++
 conf/plugins/imc-os.opt          |  4 ++++
 conf/plugins/kernel-netlink.conf |  3 +++
 conf/plugins/kernel-netlink.opt  |  9 +++++++-
 conf/plugins/save-keys.conf      | 16 ++++++++++++++
 conf/plugins/save-keys.opt       | 16 ++++++++++++++
 conf/strongswan.conf.5.main      | 47 ++++++++++++++++++++++++++++++++++++++--
 11 files changed, 105 insertions(+), 7 deletions(-)
 create mode 100644 conf/plugins/save-keys.conf
 create mode 100644 conf/plugins/save-keys.opt

(limited to 'conf')

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 38181db2c..eb662c2e0 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -87,6 +87,7 @@ plugins = \
 	plugins/random.opt \
 	plugins/resolve.opt \
 	plugins/revocation.opt \
+	plugins/save-keys.opt \
 	plugins/socket-default.opt \
 	plugins/sql.opt \
 	plugins/stroke.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index c2cb213f7..e83d3b98f 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -493,6 +493,7 @@ plugins = \
 	plugins/random.opt \
 	plugins/resolve.opt \
 	plugins/revocation.opt \
+	plugins/save-keys.opt \
 	plugins/socket-default.opt \
 	plugins/sql.opt \
 	plugins/stroke.opt \
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index cef9fe36c..93dff172d 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -7,9 +7,9 @@ charon {
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
-    # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
-    # be saved under a unique file name derived from the public key of the
-    # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+    # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
+    # should be saved under a unique file name derived from the public key of
+    # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
     # /etc/swanctl/x509crl (vici), respectively.
     # cache_crls = no
 
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 161ebb724..fcde5f0b5 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -31,7 +31,7 @@ charon.cert_cache = yes
 	memory.
 
 charon.cache_crls = no
-	Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
 	be saved under a unique file name derived from the public key of the
 	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
 	**/etc/swanctl/x509crl** (vici), respectively.
diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt
index 77d5b7888..c821a880b 100644
--- a/conf/plugins/ha.opt
+++ b/conf/plugins/ha.opt
@@ -2,6 +2,13 @@ charon.plugins.ha.autobalance = 0
 	Interval in seconds to automatically balance handled segments between nodes.
 	Set to 0 to disable.
 
+charon.plugin.ha.buflen = 2048
+	Buffer size for received HA messages.
+
+	Buffer size for received HA messages. For IKEv1 the public DH factors are
+	also transmitted so depending on the DH group the HA messages can get quite
+	big (the default should be fine up to _modp4096_).
+
 charon.plugins.ha.fifo_interface = yes
 
 charon.plugins.ha.heartbeat_delay = 1000
diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 4f559f2b9..6c1da5e89 100644
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id =
 	Manually set the client device ID in hexadecimal format
    (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
 
+libimcv.plugins.imc-os.device_handle =
+	Manually set handle to a private key bound to a smartcard or TPM
+    (e.g. 0x81010004)
+
 libimcv.plugins.imc-os.device_pubkey =
 	Manually set the path to the client device public key
     (e.g. /etc/pts/aikPub.der)
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 22d94ee38..9827b2282 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -35,6 +35,9 @@ kernel-netlink {
     # Whether to use port or socket based IKE XFRM bypass policies.
     # port_bypass = no
 
+    # Whether to process changes in routing rules to trigger roam events.
+    # process_rules = no
+
     # Maximum Netlink socket receive buffer in bytes.
     # receive_buffer_size = 0
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 3d9c4a7a9..0e368ca1e 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -7,7 +7,7 @@ charon.plugins.kernel-netlink.force_receive_buffer_size = no
 	If the maximum Netlink socket receive buffer in bytes set by
 	_receive_buffer_size_ exceeds the system-wide maximum from
 	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
-	Enabling this option requires special priviliges (CAP_NET_ADMIN).
+	Enabling this option requires special privileges (CAP_NET_ADMIN).
 
 charon.plugins.kernel-netlink.fwmark =
 	Firewall mark to set on the routing rule that directs traffic to our routing
@@ -47,6 +47,13 @@ charon.plugins.kernel-netlink.port_bypass = no
 	port based policies use global XFRM bypass policies for the used IKE UDP
 	ports.
 
+charon.plugins.kernel-netlink.process_rules = no
+	Whether to process changes in routing rules to trigger roam events.
+
+	Whether to process changes in routing rules to trigger roam events. This is
+	currently only useful if the kernel based route lookup is used (i.e. if
+	route installation is disabled or an inverted fwmark match is configured).
+
 charon.plugins.kernel-netlink.receive_buffer_size = 0
 	Maximum Netlink socket receive buffer in bytes.
 
diff --git a/conf/plugins/save-keys.conf b/conf/plugins/save-keys.conf
new file mode 100644
index 000000000..c38cdcf69
--- /dev/null
+++ b/conf/plugins/save-keys.conf
@@ -0,0 +1,16 @@
+save-keys {
+
+    # Whether to save ESP keys.
+    # esp = no
+
+    # Whether to save IKE keys.
+    # ike = no
+
+    # Whether to load the plugin.
+    load = no
+
+    # Directory where the keys are stored in the format supported by Wireshark
+    # wireshark_keys =
+
+}
+
diff --git a/conf/plugins/save-keys.opt b/conf/plugins/save-keys.opt
new file mode 100644
index 000000000..22a766a6f
--- /dev/null
+++ b/conf/plugins/save-keys.opt
@@ -0,0 +1,16 @@
+charon.plugins.save-keys.load := no
+	Whether to load the plugin.
+
+charon.plugins.save-keys.esp = no
+	Whether to save ESP keys.
+
+charon.plugins.save-keys.ike = no
+	Whether to save IKE keys.
+
+charon.plugins.save-keys.wireshark_keys
+	Directory where the keys are stored in the format supported by Wireshark
+
+	Directory where the keys are stored in the format supported by Wireshark.
+	IKEv1 keys are stored in the _ikev1_decryption_table_ file.
+	IKEv2 keys are stored in the _ikev2_decryption_table_ file.
+	Keys for ESP CHILD_SAs are stored in the _esp_sa_ file.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index b54f3e492..977403e91 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -51,7 +51,7 @@ Maximum number of half\-open IKE_SAs for a single peer IP.
 
 .TP
 .BR charon.cache_crls " [no]"
-Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
+Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
 saved under a unique file name derived from the public key of the Certification
 Authority (CA) to
 .RB "" "/etc/ipsec.d/crls" ""
@@ -405,6 +405,14 @@ WINS servers assigned to peer via configuration payload (CP).
 .BR charon.nbns2 " []"
 WINS servers assigned to peer via configuration payload (CP).
 
+.TP
+.BR charon.plugin.ha.buflen " [2048]"
+Buffer size for received HA messages. For IKEv1 the public DH factors are also
+transmitted so depending on the DH group the HA messages can get quite big (the
+default should be fine up to
+.RI "" "modp4096" ")."
+
+
 .TP
 .BR charon.plugins.addrblock.strict " [yes]"
 If set to yes, a subject certificate without an addrblock extension is rejected
@@ -973,7 +981,7 @@ If the maximum Netlink socket receive buffer in bytes set by
 .RI "" "receive_buffer_size" ""
 exceeds the system\-wide maximum from
 /proc/sys/net/core/rmem_max, this option can be used to override the limit.
-Enabling this option requires special priviliges (CAP_NET_ADMIN).
+Enabling this option requires special privileges (CAP_NET_ADMIN).
 
 .TP
 .BR charon.plugins.kernel-netlink.fwmark " []"
@@ -1015,6 +1023,12 @@ policies are used to exempt IKE traffic from XFRM processing. The default socket
 based policies are directly tied to the IKE UDP sockets, port based policies use
 global XFRM bypass policies for the used IKE UDP ports.
 
+.TP
+.BR charon.plugins.kernel-netlink.process_rules " [no]"
+Whether to process changes in routing rules to trigger roam events. This is
+currently only useful if the kernel based route lookup is used (i.e. if route
+installation is disabled or an inverted fwmark match is configured).
+
 .TP
 .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
 Maximum Netlink socket receive buffer in bytes. This value controls how many
@@ -1416,6 +1430,30 @@ Whether CRL validation should be enabled.
 .BR charon.plugins.revocation.enable_ocsp " [yes]"
 Whether OCSP validation should be enabled.
 
+.TP
+.BR charon.plugins.save-keys.esp " [no]"
+Whether to save ESP keys.
+
+.TP
+.BR charon.plugins.save-keys.ike " [no]"
+Whether to save IKE keys.
+
+.TP
+.BR charon.plugins.save-keys.load " [no]"
+Whether to load the plugin.
+
+.TP
+.BR charon.plugins.save-keys.wireshark_keys " []"
+Directory where the keys are stored in the format supported by Wireshark. IKEv1
+keys are stored in the
+.RI "" "ikev1_decryption_table" ""
+file. IKEv2 keys are stored in
+the
+.RI "" "ikev2_decryption_table" ""
+file. Keys for ESP CHILD_SAs are stored in the
+.RI "" "esp_sa" ""
+file.
+
 .TP
 .BR charon.plugins.socket-default.fwmark " []"
 Firewall mark to set on outbound packets.
@@ -2120,6 +2158,11 @@ manufacturer of the hardcopy device.
 Manually set the path to the client device certificate (e.g.
 /etc/pts/aikCert.der)
 
+.TP
+.BR libimcv.plugins.imc-os.device_handle " []"
+Manually set handle to a private key bound to a smartcard or TPM (e.g.
+0x81010004)
+
 .TP
 .BR libimcv.plugins.imc-os.device_id " []"
 Manually set the client device ID in hexadecimal format (e.g.
-- 
cgit v1.2.3