From 1959799d517164fd3427bbc854afe14dee876066 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 3 Jun 2019 18:01:55 +0200 Subject: [PATCH] strongswan: 5.7.2 -> 5.8.0 --- .../strongswan-swanctl/swanctl-params.nix | 50 ++++++++++++++++- pkgs/tools/networking/strongswan/default.nix | 8 +-- .../networking/strongswan/modprobe-path.patch | 56 ------------------- 3 files changed, 50 insertions(+), 64 deletions(-) delete mode 100644 pkgs/tools/networking/strongswan/modprobe-path.patch diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index d4f7e95f859..808cb863a9c 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -6,7 +6,7 @@ # # git clone https://github.com/strongswan/strongswan.git # cd strongswan -# git diff 5.5.3..5.6.0 src/swanctl/swanctl.opt +# git diff 5.7.2..5.8.0 src/swanctl/swanctl.opt lib: with (import ./param-constructors.nix lib); @@ -227,6 +227,22 @@ in { irrespective of the value of this option (even when set to no). ''; + childless = mkEnumParam [ "allow" "force" "never" ] "allow" '' + Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values + are allow (the default), force and + never. If set to allow, responders + will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT + response) while initiators continue to create regular IKE_SAs with the + first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated + explicitly without any children (which will fail if the responder does not + support or has disabled this extension). If set to + force, only childless initiation is accepted and the + first CHILD_SA is created with a separate CREATE_CHILD_SA exchange + (e.g. to use an independent DH exchange for all CHILD_SAs). Finally, + setting the option to never disables support for + childless IKE_SAs as responder. + ''; + send_certreq = mkYesNoParam yes '' Send certificate request payloads to offer trusted root CA certificates to the peer. Certificate requests help the peer to choose an appropriate @@ -350,6 +366,16 @@ in { name from either the pools section or an external pool. ''; + if_id_in = mkStrParam "0" '' + XFRM interface ID set on inbound policies/SA, can be overridden by child + config, see there for details. + ''; + + if_id_out = mkStrParam "0" '' + XFRM interface ID set on outbound policies/SA, can be overridden by child + config, see there for details. + ''; + mediation = mkYesNoParam no '' Whether this connection is a mediation connection, that is, whether this connection is used to mediate other connections using the IKEv2 Mediation @@ -799,7 +825,7 @@ in { Updown script to invoke on CHILD_SA up and down events. ''; - hostaccess = mkYesNoParam yes '' + hostaccess = mkYesNoParam no '' Hostaccess variable to pass to updown script. ''; @@ -960,6 +986,26 @@ in { mask requires at least Linux 4.19. ''; + if_id_in = mkStrParam "0" '' + XFRM interface ID set on inbound policies/SA. This allows installing + duplicate policies/SAs and associates them with an interface with the + same ID. The special value %unique sets a unique + interface ID on each CHILD_SA instance, beyond that the value + %unique-dir assigns a different unique interface ID + for each CHILD_SA direction (in/out). + ''; + + if_id_out = mkStrParam "0" '' + XFRM interface ID set on outbound policies/SA. This allows installing + duplicate policies/SAs and associates them with an interface with the + same ID. The special value %unique sets a unique + interface ID on each CHILD_SA instance, beyond that the value + %unique-dir assigns a different unique interface ID + for each CHILD_SA direction (in/out). + + The daemon will not install routes for CHILD_SAs that have this option set. + ''; + tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 '' Pads ESP packets with additional data to have a consistent ESP packet size for improved Traffic Flow Confidentiality. The padding defines the diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix index 8cd76b9ca4e..1f0271c2257 100644 --- a/pkgs/tools/networking/strongswan/default.nix +++ b/pkgs/tools/networking/strongswan/default.nix @@ -19,11 +19,11 @@ with stdenv.lib; stdenv.mkDerivation rec { name = "strongswan-${version}"; - version = "5.7.2"; + version = "5.8.0"; # Make sure to also update when upgrading! src = fetchurl { url = "https://download.strongswan.org/${name}.tar.bz2"; - sha256 = "0w6cks42lvvyj5ivyhqyqxya48x93yzfpz281q3xmqicdskkp3ih"; + sha256 = "0cq9m86ydd2i0awxkv4a256f4926p2f9pzlisyskl9fngl6f3c8m"; }; dontPatchELF = true; @@ -40,10 +40,6 @@ stdenv.mkDerivation rec { ./ext_auth-path.patch ./firewall_defaults.patch ./updown-path.patch - (optional stdenv.isLinux (substituteAll { - src = ./modprobe-path.patch; - inherit kmod; - })) ]; postPatch = optionalString stdenv.isLinux '' diff --git a/pkgs/tools/networking/strongswan/modprobe-path.patch b/pkgs/tools/networking/strongswan/modprobe-path.patch deleted file mode 100644 index 4c0cb59c13a..00000000000 --- a/pkgs/tools/networking/strongswan/modprobe-path.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff --git a/src/starter/klips.c b/src/starter/klips.c -index 2216546..d626677 100644 ---- a/src/starter/klips.c -+++ b/src/starter/klips.c -@@ -30,7 +30,7 @@ bool starter_klips_init(void) - /* ipsec module makes the pf_key proc interface visible */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv ipsec")); -+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec")); - } - - /* now test again */ -@@ -42,9 +42,9 @@ bool starter_klips_init(void) - } - - /* load crypto algorithm modules */ -- ignore_result(system("modprobe -qv ipsec_aes")); -- ignore_result(system("modprobe -qv ipsec_blowfish")); -- ignore_result(system("modprobe -qv ipsec_sha2")); -+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_aes")); -+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_blowfish")); -+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_sha2")); - - DBG2(DBG_APP, "found KLIPS IPsec stack"); - return TRUE; -diff --git a/src/starter/netkey.c b/src/starter/netkey.c -index b150d3e..0a7c2ff 100644 ---- a/src/starter/netkey.c -+++ b/src/starter/netkey.c -@@ -30,7 +30,7 @@ bool starter_netkey_init(void) - /* af_key module makes the netkey proc interface visible */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv af_key")); -+ ignore_result(system("@kmod@/bin/modprobe -qv af_key")); - } - - /* now test again */ -@@ -44,11 +44,11 @@ bool starter_netkey_init(void) - /* make sure that all required IPsec modules are loaded */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv ah4")); -- ignore_result(system("modprobe -qv esp4")); -- ignore_result(system("modprobe -qv ipcomp")); -- ignore_result(system("modprobe -qv xfrm4_tunnel")); -- ignore_result(system("modprobe -qv xfrm_user")); -+ ignore_result(system("@kmod@/bin/modprobe -qv ah4")); -+ ignore_result(system("@kmod@/bin/modprobe -qv esp4")); -+ ignore_result(system("@kmod@/bin/modprobe -qv ipcomp")); -+ ignore_result(system("@kmod@/bin/modprobe -qv xfrm4_tunnel")); -+ ignore_result(system("@kmod@/bin/modprobe -qv xfrm_user")); - } - - DBG2(DBG_APP, "found netkey IPsec stack");