From 7cc5ee235482232c7c4137ba46ca2c8dba7f9618 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Tue, 28 Nov 2017 00:51:40 +0100 Subject: strongswan-swanctl: support strongswan-5.6.1 configuration options I determined which options got changed by executing the following commands in the strongswan repository: git diff -U20 5.6.0..5.6.1 src/swanctl/swanctl.opt git diff -U20 5.6.0..5.6.1 conf --- .../strongswan-charon-params.nix | 4 ++ .../strongswan-charon-plugins-params.nix | 10 ++++ .../strongswan-swanctl/strongswan-params.nix | 41 +++++++++++++--- .../strongswan-swanctl/swanctl-params.nix | 56 +++++++++++++++------- 4 files changed, 88 insertions(+), 23 deletions(-) (limited to 'nixos/modules/services/networking/strongswan-swanctl') diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix index 3eec9886811e..2b28b57963e1 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix @@ -431,6 +431,10 @@ in { Priority of the routing table. ''; + rsa_pss = mkYesNoParam no '' + Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + ''; + send_delay = mkIntParam 0 '' Delay in ms for sending packets, to simulate larger RTT. ''; diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix index 56a253d85d39..5fd2b4b0c0a4 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix @@ -214,6 +214,11 @@ lib : with (import ./param-constructors.nix lib); { virtual IP. ''; + eap-radius.accounting_send_class = mkYesNoParam no '' + If enabled, adds the Class attributes received in Access-Accept + message to the RADIUS accounting messages. + ''; + eap-radius.class_group = mkYesNoParam no '' Use the class attribute sent in the Access-Accept message as group membership information, see EapRadius. @@ -916,6 +921,11 @@ lib : with (import ./param-constructors.nix lib); { strptime(3) format used to parse threshold option. ''; + systime-fix.timeout = mkDurationParam "0s" '' + How long to wait for a valid system time if an interval is + configured. 0 to recheck indefinitely. + ''; + tnc-ifmap.client_cert = mkOptionalStrParam '' Path to X.509 certificate file of IF-MAP client. ''; diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix index ad8053053701..90828642da0a 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix @@ -144,12 +144,6 @@ in { ''; }; - pacman.database = mkOptionalStrParam '' - Database URI for the database that stores the package information. If it - contains a password, make sure to adjust the permissions of the config - file accordingly. - ''; - pki.load = mkSpaceSepListParam [] '' Plugins to load in ipsec pki tool. ''; @@ -174,6 +168,41 @@ in { Plugins to load in ipsec scepclient tool. ''; + sec-updater = { + database = mkOptionalStrParam '' + Global IMV policy database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + ''; + + swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" '' + SWID generator command to be executed. + ''; + + swid_gen.tag_creator.name = mkStrParam "strongSwan Project" '' + Name of the tagCreator entity. + ''; + + swid_gen.tag_creator.regid = mkStrParam "strongswan.org" '' + regid of the tagCreator entity. + ''; + + tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" '' + strongTNC manage.py command used to import SWID tags. + ''; + + tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" '' + Temporary storage for downloaded deb package file. + ''; + + tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" '' + Temporary storage for generated SWID tags. + ''; + + load = mkSpaceSepListParam [] '' + Plugins to load in sec-updater tool. + ''; + }; + starter = { config_file = mkStrParam "\${sysconfdir}/ipsec.conf" '' Location of the ipsec.conf file. diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index 095ae549730e..39d184131c36 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -286,7 +286,7 @@ in { On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication - round). Only if set to keep or replace will the client send a notify. + round). Unless set to never the client will send a notify. ''; reauth_time = mkDurationParam "0s" '' @@ -444,7 +444,12 @@ in { ike: prefix are configured any signature scheme constraint (without ike: prefix) will also apply to IKEv2 authentication, unless this is disabled in - strongswan.conf. + strongswan.conf. To use RSASSA-PSS signatures use + rsa/pss instead of pubkey or + rsa as in e.g. + ike:rsa/pss-sha256. If pubkey or + rsa constraints are configured RSASSA-PSS signatures + will only be used if enabled in strongswan.conf(5). ''; @@ -585,7 +590,12 @@ in { section's keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication schemes used by the - remote side. + remote side. To require RSASSA-PSS signatures use + rsa/pss instead of pubkey or + rsa as in e.g. rsa/pss-sha256. If + pubkey or rsa constraints are + configured RSASSA-PSS signatures will only be accepted if enabled in + strongswan.conf(5). To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as @@ -872,27 +882,39 @@ in { ''; mark_in = mkStrParam "0/0x00000000" '' - Netfilter mark and mask for input traffic. On Linux Netfilter may - require marks on each packet to match an SA having that option set. This - allows Netfilter rules to select specific tunnels for incoming - traffic. The special value %unique sets a unique mark - on each CHILD_SA instance, beyond that the value - %unique-dir assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for input traffic. On Linux, Netfilter may + require marks on each packet to match an SA/policy having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific SAs/policies for incoming traffic. Note that + inbound marks are only set on policies, by default, unless + is enabled. The special value + %unique sets a unique mark on each CHILD_SA instance, + beyond that the value %unique-dir assigns a different + unique mark for each An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff. ''; + mark_in_sa = mkYesNoParam no '' + Whether to set on the inbound SA. By default, + the inbound mark is only set on the inbound policy. The tuple destination + address, protocol and SPI is unique and the mark is not required to find + the correct SA, allowing to mark traffic after decryption instead (where + more specific selectors may be used) to match different policies. Marking + packets before decryption is still possible, even if no mark is set on + the SA. + ''; + mark_out = mkStrParam "0/0x00000000" '' - Netfilter mark and mask for output traffic. On Linux Netfilter may - require marks on each packet to match a policy having that option - set. This allows Netfilter rules to select specific tunnels for outgoing - traffic. The special value %unique sets a unique mark - on each CHILD_SA instance, beyond that the value - %unique-dir assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for output traffic. On Linux, Netfilter may + require marks on each packet to match a policy/SA having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific policies/SAs for outgoing traffic. The special + value %unique sets a unique mark on each CHILD_SA + instance, beyond that the value %unique-dir assigns a + different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by /. The default mask if omitted is -- cgit 1.4.1