Merge pull request #62616 from basvandijk/strongswan-5.8.0

strongswan: 5.7.2 -> 5.8.0

nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix

@@ -6,7 +6,7 @@
 #
 #   git clone https://github.com/strongswan/strongswan.git
 #   cd strongswan
-#   git diff 5.5.3..5.6.0 src/swanctl/swanctl.opt
+#   git diff 5.7.2..5.8.0 src/swanctl/swanctl.opt
 
 lib: with (import ./param-constructors.nix lib);
 
@@ -227,6 +227,22 @@ in {
       irrespective of the value of this option (even when set to no).
     '';
 
+    childless = mkEnumParam [ "allow" "force" "never" ] "allow" ''
+      Use childless IKE_SA initiation (RFC 6023) for IKEv2.  Acceptable values
+      are <literal>allow</literal> (the default), <literal>force</literal> and
+      <literal>never</literal>. If set to <literal>allow</literal>, responders
+      will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
+      response) while initiators continue to create regular IKE_SAs with the
+      first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated
+      explicitly without any children (which will fail if the responder does not
+      support or has disabled this extension).  If set to
+      <literal>force</literal>, only childless initiation is accepted and the
+      first CHILD_SA is created with a separate CREATE_CHILD_SA exchange
+      (e.g. to use an independent DH exchange for all CHILD_SAs). Finally,
+      setting the option to <literal>never</literal> disables support for
+      childless IKE_SAs as responder.
+    '';
+
     send_certreq = mkYesNoParam yes ''
       Send certificate request payloads to offer trusted root CA certificates to
       the peer. Certificate requests help the peer to choose an appropriate
@@ -350,6 +366,16 @@ in {
       name from either the pools section or an external pool.
     '';
 
+    if_id_in = mkStrParam "0" ''
+      XFRM interface ID set on inbound policies/SA, can be overridden by child
+      config, see there for details.
+    '';
+
+    if_id_out = mkStrParam "0" ''
+      XFRM interface ID set on outbound policies/SA, can be overridden by child
+      config, see there for details.
+    '';
+
     mediation = mkYesNoParam no ''
       Whether this connection is a mediation connection, that is, whether this
       connection is used to mediate other connections using the IKEv2 Mediation
@@ -799,7 +825,7 @@ in {
         Updown script to invoke on CHILD_SA up and down events.
       '';
 
-      hostaccess = mkYesNoParam yes ''
+      hostaccess = mkYesNoParam no ''
         Hostaccess variable to pass to <literal>updown</literal> script.
       '';
 
@@ -960,6 +986,26 @@ in {
         mask requires at least Linux 4.19.
       '';
 
+      if_id_in = mkStrParam "0" ''
+        XFRM interface ID set on inbound policies/SA. This allows installing
+        duplicate policies/SAs and associates them with an interface with the
+        same ID. The special value <literal>%unique</literal> sets a unique
+        interface ID on each CHILD_SA instance, beyond that the value
+        <literal>%unique-dir</literal> assigns a different unique interface ID
+        for each CHILD_SA direction (in/out).
+      '';
+
+      if_id_out = mkStrParam "0" ''
+        XFRM interface ID set on outbound policies/SA. This allows installing
+        duplicate policies/SAs and associates them with an interface with the
+        same ID. The special value <literal>%unique</literal> sets a unique
+        interface ID on each CHILD_SA instance, beyond that the value
+        <literal>%unique-dir</literal> assigns a different unique interface ID
+        for each CHILD_SA direction (in/out).
+
+        The daemon will not install routes for CHILD_SAs that have this option set.
+     '';
+
       tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 ''
         Pads ESP packets with additional data to have a consistent ESP packet
         size for improved Traffic Flow Confidentiality. The padding defines the

pkgs/tools/networking/strongswan/default.nix

@@ -19,11 +19,11 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "strongswan-${version}";
-  version = "5.7.2";
+  version = "5.8.0"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
 
   src = fetchurl {
     url = "https://download.strongswan.org/${name}.tar.bz2";
-    sha256 = "0w6cks42lvvyj5ivyhqyqxya48x93yzfpz281q3xmqicdskkp3ih";
+    sha256 = "0cq9m86ydd2i0awxkv4a256f4926p2f9pzlisyskl9fngl6f3c8m";
   };
 
   dontPatchELF = true;
@@ -40,10 +40,6 @@ stdenv.mkDerivation rec {
     ./ext_auth-path.patch
     ./firewall_defaults.patch
     ./updown-path.patch
-    (optional stdenv.isLinux (substituteAll {
-      src = ./modprobe-path.patch;
-      inherit kmod;
-    }))
   ];
 
   postPatch = optionalString stdenv.isLinux ''

pkgs/tools/networking/strongswan/modprobe-path.patch

@@ -1,56 +0,0 @@
-diff --git a/src/starter/klips.c b/src/starter/klips.c
-index 2216546..d626677 100644
---- a/src/starter/klips.c
-+++ b/src/starter/klips.c
-@@ -30,7 +30,7 @@ bool starter_klips_init(void)
- 		/* ipsec module makes the pf_key proc interface visible */
- 		if (stat(PROC_MODULES, &stb) == 0)
- 		{
--			ignore_result(system("modprobe -qv ipsec"));
-+			ignore_result(system("@kmod@/bin/modprobe -qv ipsec"));
- 		}
- 
- 		/* now test again */
-@@ -42,9 +42,9 @@ bool starter_klips_init(void)
- 	}
- 
- 	/* load crypto algorithm modules */
--	ignore_result(system("modprobe -qv ipsec_aes"));
--	ignore_result(system("modprobe -qv ipsec_blowfish"));
--	ignore_result(system("modprobe -qv ipsec_sha2"));
-+	ignore_result(system("@kmod@/bin/modprobe -qv ipsec_aes"));
-+	ignore_result(system("@kmod@/bin/modprobe -qv ipsec_blowfish"));
-+	ignore_result(system("@kmod@/bin/modprobe -qv ipsec_sha2"));
- 
- 	DBG2(DBG_APP, "found KLIPS IPsec stack");
- 	return TRUE;
-diff --git a/src/starter/netkey.c b/src/starter/netkey.c
-index b150d3e..0a7c2ff 100644
---- a/src/starter/netkey.c
-+++ b/src/starter/netkey.c
-@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
- 		/* af_key module makes the netkey proc interface visible */
- 		if (stat(PROC_MODULES, &stb) == 0)
- 		{
--			ignore_result(system("modprobe -qv af_key"));
-+			ignore_result(system("@kmod@/bin/modprobe -qv af_key"));
- 		}
- 
- 		/* now test again */
-@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
- 	/* make sure that all required IPsec modules are loaded */
- 	if (stat(PROC_MODULES, &stb) == 0)
- 	{
--		ignore_result(system("modprobe -qv ah4"));
--		ignore_result(system("modprobe -qv esp4"));
--		ignore_result(system("modprobe -qv ipcomp"));
--		ignore_result(system("modprobe -qv xfrm4_tunnel"));
--		ignore_result(system("modprobe -qv xfrm_user"));
-+		ignore_result(system("@kmod@/bin/modprobe -qv ah4"));
-+		ignore_result(system("@kmod@/bin/modprobe -qv esp4"));
-+		ignore_result(system("@kmod@/bin/modprobe -qv ipcomp"));
-+		ignore_result(system("@kmod@/bin/modprobe -qv xfrm4_tunnel"));
-+		ignore_result(system("@kmod@/bin/modprobe -qv xfrm_user"));
- 	}
- 
- 	DBG2(DBG_APP, "found netkey IPsec stack");