diff options
author | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-11-28 00:51:40 +0100 |
---|---|---|
committer | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-02-28 10:41:54 +0100 |
commit | 7cc5ee235482232c7c4137ba46ca2c8dba7f9618 (patch) | |
tree | 93ae8475ba8288f5c855517942d1ee6f0ee0e088 /nixos/modules | |
parent | bd24b3addd46ff660d8ad6cc32a58aecd4715374 (diff) | |
download | nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.tar nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.tar.gz nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.tar.bz2 nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.tar.lz nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.tar.xz nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.tar.zst nixlib-7cc5ee235482232c7c4137ba46ca2c8dba7f9618.zip |
strongswan-swanctl: support strongswan-5.6.1 configuration options
I determined which options got changed by executing the following commands in the strongswan repository: git diff -U20 5.6.0..5.6.1 src/swanctl/swanctl.opt git diff -U20 5.6.0..5.6.1 conf
Diffstat (limited to 'nixos/modules')
4 files changed, 88 insertions, 23 deletions
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix index 3eec9886811e..2b28b57963e1 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix @@ -431,6 +431,10 @@ in { Priority of the routing table. ''; + rsa_pss = mkYesNoParam no '' + Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + ''; + send_delay = mkIntParam 0 '' Delay in ms for sending packets, to simulate larger RTT. ''; diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix index 56a253d85d39..5fd2b4b0c0a4 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix @@ -214,6 +214,11 @@ lib : with (import ./param-constructors.nix lib); { virtual IP. ''; + eap-radius.accounting_send_class = mkYesNoParam no '' + If enabled, adds the Class attributes received in Access-Accept + message to the RADIUS accounting messages. + ''; + eap-radius.class_group = mkYesNoParam no '' Use the class attribute sent in the Access-Accept message as group membership information, see EapRadius. @@ -916,6 +921,11 @@ lib : with (import ./param-constructors.nix lib); { strptime(3) format used to parse threshold option. ''; + systime-fix.timeout = mkDurationParam "0s" '' + How long to wait for a valid system time if an interval is + configured. 0 to recheck indefinitely. + ''; + tnc-ifmap.client_cert = mkOptionalStrParam '' Path to X.509 certificate file of IF-MAP client. ''; diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix index ad8053053701..90828642da0a 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix @@ -144,12 +144,6 @@ in { ''; }; - pacman.database = mkOptionalStrParam '' - Database URI for the database that stores the package information. If it - contains a password, make sure to adjust the permissions of the config - file accordingly. - ''; - pki.load = mkSpaceSepListParam [] '' Plugins to load in ipsec pki tool. ''; @@ -174,6 +168,41 @@ in { Plugins to load in ipsec scepclient tool. ''; + sec-updater = { + database = mkOptionalStrParam '' + Global IMV policy database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + ''; + + swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" '' + SWID generator command to be executed. + ''; + + swid_gen.tag_creator.name = mkStrParam "strongSwan Project" '' + Name of the tagCreator entity. + ''; + + swid_gen.tag_creator.regid = mkStrParam "strongswan.org" '' + regid of the tagCreator entity. + ''; + + tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" '' + strongTNC manage.py command used to import SWID tags. + ''; + + tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" '' + Temporary storage for downloaded deb package file. + ''; + + tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" '' + Temporary storage for generated SWID tags. + ''; + + load = mkSpaceSepListParam [] '' + Plugins to load in sec-updater tool. + ''; + }; + starter = { config_file = mkStrParam "\${sysconfdir}/ipsec.conf" '' Location of the ipsec.conf file. diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index 095ae549730e..39d184131c36 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -286,7 +286,7 @@ in { On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication - round). Only if set to keep or replace will the client send a notify. + round). Unless set to <literal>never</literal> the client will send a notify. ''; reauth_time = mkDurationParam "0s" '' @@ -444,7 +444,12 @@ in { <literal>ike:</literal> prefix are configured any signature scheme constraint (without <literal>ike:</literal> prefix) will also apply to IKEv2 authentication, unless this is disabled in - <literal>strongswan.conf</literal>. + <literal>strongswan.conf</literal>. To use RSASSA-PSS signatures use + <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or + <literal>rsa</literal> as in e.g. + <literal>ike:rsa/pss-sha256</literal>. If <literal>pubkey</literal> or + <literal>rsa</literal> constraints are configured RSASSA-PSS signatures + will only be used if enabled in <literal>strongswan.conf</literal>(5). </para></listitem> </itemizedlist> ''; @@ -585,7 +590,12 @@ in { <option>local</option> section's <option>auth</option> keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication schemes used by the - remote side. + remote side. To require RSASSA-PSS signatures use + <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or + <literal>rsa</literal> as in e.g. <literal>rsa/pss-sha256</literal>. If + <literal>pubkey</literal> or <literal>rsa</literal> constraints are + configured RSASSA-PSS signatures will only be accepted if enabled in + <literal>strongswan.conf</literal>(5). </para><para> To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as @@ -872,27 +882,39 @@ in { ''; mark_in = mkStrParam "0/0x00000000" '' - Netfilter mark and mask for input traffic. On Linux Netfilter may - require marks on each packet to match an SA having that option set. This - allows Netfilter rules to select specific tunnels for incoming - traffic. The special value <literal>%unique</literal> sets a unique mark - on each CHILD_SA instance, beyond that the value - <literal>%unique-dir</literal> assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for input traffic. On Linux, Netfilter may + require marks on each packet to match an SA/policy having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific SAs/policies for incoming traffic. Note that + inbound marks are only set on policies, by default, unless + <option>mark_in_sa</option> is enabled. The special value + <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, + beyond that the value <literal>%unique-dir</literal> assigns a different + unique mark for each </para><para> An additional mask may be appended to the mark, separated by <literal>/</literal>. The default mask if omitted is <literal>0xffffffff</literal>. ''; + mark_in_sa = mkYesNoParam no '' + Whether to set <option>mark_in</option> on the inbound SA. By default, + the inbound mark is only set on the inbound policy. The tuple destination + address, protocol and SPI is unique and the mark is not required to find + the correct SA, allowing to mark traffic after decryption instead (where + more specific selectors may be used) to match different policies. Marking + packets before decryption is still possible, even if no mark is set on + the SA. + ''; + mark_out = mkStrParam "0/0x00000000" '' - Netfilter mark and mask for output traffic. On Linux Netfilter may - require marks on each packet to match a policy having that option - set. This allows Netfilter rules to select specific tunnels for outgoing - traffic. The special value <literal>%unique</literal> sets a unique mark - on each CHILD_SA instance, beyond that the value - <literal>%unique-dir</literal> assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for output traffic. On Linux, Netfilter may + require marks on each packet to match a policy/SA having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific policies/SAs for outgoing traffic. The special + value <literal>%unique</literal> sets a unique mark on each CHILD_SA + instance, beyond that the value <literal>%unique-dir</literal> assigns a + different unique mark for each CHILD_SA direction (in/out). </para><para> An additional mask may be appended to the mark, separated by <literal>/</literal>. The default mask if omitted is |