strongswan-swanctl: support strongswan-5.6.1 configuration options

I determined which options got changed by executing the following
commands in the strongswan repository:

  git diff -U20 5.6.0..5.6.1 src/swanctl/swanctl.opt
  git diff -U20 5.6.0..5.6.1 conf

4 files changed, 88 insertions, 23 deletions

diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
index 3eec9886811e..2b28b57963e1 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
@@ -431,6 +431,10 @@ in {
     Priority of the routing table.
   '';
 
+  rsa_pss = mkYesNoParam no ''
+    Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
+  '';
+
   send_delay = mkIntParam 0 ''
     Delay in ms for sending packets, to simulate larger RTT.
   '';
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
index 56a253d85d39..5fd2b4b0c0a4 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
@@ -214,6 +214,11 @@ lib : with (import ./param-constructors.nix lib); {
     virtual IP.
   '';
 
+  eap-radius.accounting_send_class = mkYesNoParam no ''
+    If enabled, adds the Class attributes received in Access-Accept
+    message to the RADIUS accounting messages.
+  '';
+
   eap-radius.class_group = mkYesNoParam no ''
     Use the class attribute sent in the Access-Accept message as group
     membership information, see EapRadius.
@@ -916,6 +921,11 @@ lib : with (import ./param-constructors.nix lib); {
     strptime(3) format used to parse threshold option.
   '';
 
+  systime-fix.timeout = mkDurationParam "0s" ''
+    How long to wait for a valid system time if an interval is
+    configured. 0 to recheck indefinitely.
+  '';
+
   tnc-ifmap.client_cert = mkOptionalStrParam ''
     Path to X.509 certificate file of IF-MAP client.
   '';
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
index ad8053053701..90828642da0a 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
@@ -144,12 +144,6 @@ in {
     '';
   };
 
-  pacman.database = mkOptionalStrParam ''
-    Database URI for the database that stores the package information. If it
-    contains a password, make sure to adjust the permissions of the config
-    file accordingly.
-  '';
-
   pki.load = mkSpaceSepListParam [] ''
     Plugins to load in ipsec pki tool.
   '';
@@ -174,6 +168,41 @@ in {
     Plugins to load in ipsec scepclient tool.
   '';
 
+  sec-updater = {
+    database = mkOptionalStrParam ''
+      Global IMV policy database URI. If it contains a password, make
+      sure to adjust the permissions of the config file accordingly.
+    '';
+
+    swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" ''
+      SWID generator command to be executed.
+    '';
+
+    swid_gen.tag_creator.name = mkStrParam "strongSwan Project" ''
+      Name of the tagCreator entity.
+    '';
+
+    swid_gen.tag_creator.regid = mkStrParam "strongswan.org" ''
+      regid of the tagCreator entity.
+    '';
+
+    tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" ''
+      strongTNC manage.py command used to import SWID tags.
+    '';
+
+    tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" ''
+      Temporary storage for downloaded deb package file.
+    '';
+
+    tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" ''
+      Temporary storage for generated SWID tags.
+    '';
+
+    load =  mkSpaceSepListParam [] ''
+      Plugins to load in sec-updater tool.
+    '';
+  };
+
   starter = {
     config_file = mkStrParam "\${sysconfdir}/ipsec.conf" ''
       Location of the ipsec.conf file.
diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
index 095ae549730e..39d184131c36 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
@@ -286,7 +286,7 @@ in {
       On initiators this setting specifies whether an INITIAL_CONTACT notify is
       sent during IKE_AUTH if no existing connection is found with the remote
       peer (determined by the identities of the first authentication
-      round). Only if set to keep or replace will the client send a notify.
+      round). Unless set to <literal>never</literal> the client will send a notify.
     '';
 
     reauth_time	= mkDurationParam "0s" ''
@@ -444,7 +444,12 @@ in {
         <literal>ike:</literal> prefix are configured any signature scheme
         constraint (without <literal>ike:</literal> prefix) will also apply to
         IKEv2 authentication, unless this is disabled in
-        <literal>strongswan.conf</literal>.
+        <literal>strongswan.conf</literal>. To use RSASSA-PSS signatures use
+        <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or
+        <literal>rsa</literal> as in e.g.
+        <literal>ike:rsa/pss-sha256</literal>. If <literal>pubkey</literal> or
+        <literal>rsa</literal> constraints are configured RSASSA-PSS signatures
+        will only be used if enabled in <literal>strongswan.conf</literal>(5).
         </para></listitem>
         </itemizedlist>
       '';
@@ -585,7 +590,12 @@ in {
         <option>local</option> section's <option>auth</option> keyword for
         details), such key types and hash algorithms are also applied as
         constraints against IKEv2 signature authentication schemes used by the
-        remote side.
+        remote side. To require RSASSA-PSS signatures use
+        <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or
+        <literal>rsa</literal> as in e.g. <literal>rsa/pss-sha256</literal>. If
+        <literal>pubkey</literal> or <literal>rsa</literal> constraints are
+        configured RSASSA-PSS signatures will only be accepted if enabled in
+        <literal>strongswan.conf</literal>(5).
         </para><para>
         To specify trust chain constraints for EAP-(T)TLS, append a colon to the
         EAP method, followed by the key type/size and hash algorithm as
@@ -872,27 +882,39 @@ in {
       '';
 
       mark_in = mkStrParam "0/0x00000000" ''
-        Netfilter mark and mask for input traffic. On Linux Netfilter may
-        require marks on each packet to match an SA having that option set. This
-        allows Netfilter rules to select specific tunnels for incoming
-        traffic. The special value <literal>%unique</literal> sets a unique mark
-        on each CHILD_SA instance, beyond that the value
-        <literal>%unique-dir</literal> assigns a different unique mark for each
-        CHILD_SA direction (in/out).
+        Netfilter mark and mask for input traffic. On Linux, Netfilter may
+        require marks on each packet to match an SA/policy having that option
+        set. This allows installing duplicate policies and enables Netfilter
+        rules to select specific SAs/policies for incoming traffic. Note that
+        inbound marks are only set on policies, by default, unless
+        <option>mark_in_sa</option> is enabled. The special value
+        <literal>%unique</literal> sets a unique mark on each CHILD_SA instance,
+        beyond that the value <literal>%unique-dir</literal> assigns a different
+        unique mark for each
         </para><para>
         An additional mask may be appended to the mark, separated by
         <literal>/</literal>. The default mask if omitted is
         <literal>0xffffffff</literal>.
       '';
 
+      mark_in_sa = mkYesNoParam no ''
+        Whether to set <option>mark_in</option> on the inbound SA. By default,
+        the inbound mark is only set on the inbound policy. The tuple destination
+        address, protocol and SPI is unique and the mark is not required to find
+        the correct SA, allowing to mark traffic after decryption instead (where
+        more specific selectors may be used) to match different policies. Marking
+        packets before decryption is still possible, even if no mark is set on
+        the SA.
+      '';
+
       mark_out = mkStrParam "0/0x00000000" ''
-        Netfilter mark and mask for output traffic. On Linux Netfilter may
-        require marks on each packet to match a policy having that option
-        set. This allows Netfilter rules to select specific tunnels for outgoing
-        traffic. The special value <literal>%unique</literal> sets a unique mark
-        on each CHILD_SA instance, beyond that the value
-        <literal>%unique-dir</literal> assigns a different unique mark for each
-        CHILD_SA direction (in/out).
+        Netfilter mark and mask for output traffic. On Linux, Netfilter may
+        require marks on each packet to match a policy/SA having that option
+        set. This allows installing duplicate policies and enables Netfilter
+        rules to select specific policies/SAs for outgoing traffic. The special
+        value <literal>%unique</literal> sets a unique mark on each CHILD_SA
+        instance, beyond that the value <literal>%unique-dir</literal> assigns a
+        different unique mark for each CHILD_SA direction (in/out).
         </para><para>
         An additional mask may be appended to the mark, separated by
         <literal>/</literal>. The default mask if omitted is