Imported Upstream version 5.2.0

30 files changed, 92 insertions, 141 deletions

diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf
index aca72f1ed..27ef1366d 100644
--- a/conf/plugins/eap-tnc.conf
+++ b/conf/plugins/eap-tnc.conf
@@ -9,7 +9,7 @@ eap-tnc {
 
     # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
     # tnccs-dynamic).
-    # protocol = tnccs-1.1
+    # protocol = tnccs-2.0
 
 }
 
diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt
index 8e060ceda..559315240 100644
--- a/conf/plugins/eap-tnc.opt
+++ b/conf/plugins/eap-tnc.opt
@@ -1,6 +1,6 @@
 charon.plugins.eap-tnc.max_message_count = 10
 	Maximum number of processed EAP-TNC packets (0 = no limit).
 
-charon.plugins.eap-tnc.protocol = tnccs-1.1
+charon.plugins.eap-tnc.protocol = tnccs-2.0
 	IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
 	_tnccs-dynamic_).
diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf
index 5229625e0..0614dcb3c 100644
--- a/conf/plugins/eap-ttls.conf
+++ b/conf/plugins/eap-ttls.conf
@@ -23,6 +23,9 @@ eap-ttls {
     # Start phase2 EAP TNC protocol after successful client authentication.
     # phase2_tnc = no
 
+    # Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc)
+    # phase2_tnc_method = pt
+
     # Request peer authentication based on a client certificate.
     # request_peer_auth = no
 
diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt
index 21a6cb674..7dcee82b2 100644
--- a/conf/plugins/eap-ttls.opt
+++ b/conf/plugins/eap-ttls.opt
@@ -16,5 +16,8 @@ charon.plugins.eap-ttls.phase2_piggyback = no
 charon.plugins.eap-ttls.phase2_tnc = no
 	Start phase2 EAP TNC protocol after successful client authentication.
 
+charon.plugins.eap-ttls.phase2_tnc_method = pt
+	Phase2 EAP TNC transport protocol (_pt_ as IETF standard or legacy _tnc_)
+
 charon.plugins.eap-ttls.request_peer_auth = no
 	Request peer authentication based on a client certificate.
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
index 2d8deaa8e..eed706fb8 100644
--- a/conf/plugins/imc-attestation.conf
+++ b/conf/plugins/imc-attestation.conf
@@ -1,29 +1,8 @@
 imc-attestation {
 
-    # AIK encrypted private key blob file.
-    # aik_blob =
-
-    # AIK certificate file.
-    # aik_cert =
-
-    # AIK public key file.
-    # aik_key =
-
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
 
-    # Enforce mandatory Diffie-Hellman groups.
-    # mandatory_dh_groups = yes
-
-    # DH nonce length.
-    # nonce_len = 20
-
-    # Whether to send pcr_before and pcr_after info.
-    # pcr_info = yes
-
-    # Use Quote2 AIK signature instead of Quote signature.
-    # use_quote2 = yes
-
 }
 
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index aaac4c2c1..9b60b9ede 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -1,20 +1,20 @@
-charon.plugins.imc-attestation.aik_blob =
+libimcv.plugins.imc-attestation.aik_blob =
 	AIK encrypted private key blob file.
 
-charon.plugins.imc-attestation.aik_cert =
+libimcv.plugins.imc-attestation.aik_cert =
 	AIK certificate file.
 
-charon.plugins.imc-attestation.aik_key =
+libimcv.plugins.imc-attestation.aik_pubkey =
 	AIK public key file.
 
-charon.plugins.imc-attestation.mandatory_dh_groups = yes
+libimcv.plugins.imc-attestation.mandatory_dh_groups = yes
 	Enforce mandatory Diffie-Hellman groups.
 
-charon.plugins.imc-attestation.nonce_len = 20
+libimcv.plugins.imc-attestation.nonce_len = 20
 	DH nonce length.
 
-charon.plugins.imc-attestation.use_quote2 = yes
+libimcv.plugins.imc-attestation.use_quote2 = yes
 	Use Quote2 AIK signature instead of Quote signature.
 
-charon.plugins.imc-attestation.pcr_info = yes
+libimcv.plugins.imc-attestation.pcr_info = no
 	Whether to send pcr_before and pcr_after info.
diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf
index 1d245d3f3..56b218228 100644
--- a/conf/plugins/imc-os.conf
+++ b/conf/plugins/imc-os.conf
@@ -4,8 +4,5 @@ imc-os {
     # priority of this plugin.
     load = yes
 
-    # Send operating system info without being prompted.
-    # push_info = yes
-
 }
 
diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 2a6333f93..4f559f2b9 100644
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -1,2 +1,14 @@
-charon.plugins.imc-os.push_info = yes
+libimcv.plugins.imc-os.device_cert =
+	Manually set the path to the client device certificate
+    (e.g. /etc/pts/aikCert.der)
+
+libimcv.plugins.imc-os.device_id =
+	Manually set the client device ID in hexadecimal format
+   (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
+
+libimcv.plugins.imc-os.device_pubkey =
+	Manually set the path to the client device public key
+    (e.g. /etc/pts/aikPub.der)
+
+libimcv.plugins.imc-os.push_info = yes
 	Send operating system info without being prompted.
diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf
index 7f2f53106..fb05a0823 100644
--- a/conf/plugins/imc-scanner.conf
+++ b/conf/plugins/imc-scanner.conf
@@ -4,8 +4,5 @@ imc-scanner {
     # priority of this plugin.
     load = yes
 
-    # Send open listening ports without being prompted.
-    # push_info = yes
-
 }
 
diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt
index 84e6dfa2f..9cc12b91d 100644
--- a/conf/plugins/imc-scanner.opt
+++ b/conf/plugins/imc-scanner.opt
@@ -1,2 +1,2 @@
-charon.plugins.imc-scanner.push_info = yes
+libimcv.plugins.imc-scanner.push_info = yes
 	Send open listening ports without being prompted.
diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf
index 8b3317163..4893703ad 100644
--- a/conf/plugins/imc-swid.conf
+++ b/conf/plugins/imc-swid.conf
@@ -4,8 +4,5 @@ imc-swid {
     # priority of this plugin.
     load = yes
 
-    # Directory where SWID tags are located.
-    # swid_directory = ${prefix}/share
-
 }
 
diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt
index 67f7c79c4..74490c179 100644
--- a/conf/plugins/imc-swid.opt
+++ b/conf/plugins/imc-swid.opt
@@ -1,2 +1,11 @@
-charon.plugins.imc-swid.swid_directory = ${prefix}/share
+libimcv.plugins.imc-swid.swid_directory = ${prefix}/share
 	Directory where SWID tags are located.
+
+libimcv.plugins.imc-swid.swid_generator = /usr/local/bin/swid_generator
+	SWID generator command to be executed.
+
+libimcv.plugins.imc-swid.swid_pretty = FALSE
+	Generate XML-encoded SWID tags with pretty indentation.
+
+libimcv.plugins.imc-swid.swid_full = FALSE
+	Include file information in the XML-encoded SWID tags.
diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf
index 0d66e3d0c..4deac7641 100644
--- a/conf/plugins/imc-test.conf
+++ b/conf/plugins/imc-test.conf
@@ -1,23 +1,8 @@
 imc-test {
 
-    # Number of additional IMC IDs.
-    # additional_ids = 0
-
-    # Command to be sent to the Test IMV.
-    # command = none
-
-    # Size of dummy attribute to be sent to the Test IMV (0 = disabled).
-    # dummy_size = 0
-
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
 
-    # Do a handshake retry.
-    # retry = no
-
-    # Command to be sent to the Test IMV in the handshake retry.
-    # retry_command =
-
 }
 
diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt
index c3169b5af..e15b069e8 100644
--- a/conf/plugins/imc-test.opt
+++ b/conf/plugins/imc-test.opt
@@ -1,14 +1,14 @@
-charon.plugins.imc-test.additional_ids = 0
+libimcv.plugins.imc-test.additional_ids = 0
 	Number of additional IMC IDs.
 
-charon.plugins.imc-test.command = none
+libimcv.plugins.imc-test.command = none
 	Command to be sent to the Test IMV.
 
-charon.plugins.imc-test.dummy_size = 0
+libimcv.plugins.imc-test.dummy_size = 0
 	Size of dummy attribute to be sent to the Test IMV (0 = disabled).
 
-charon.plugins.imc-test.retry = no
+libimcv.plugins.imc-test.retry = no
 	Do a handshake retry.
 
-charon.plugins.imc-test.retry_command =
+libimcv.plugins.imc-test.retry_command =
 	Command to be sent to the Test IMV in the handshake retry.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
index 3a1a7f225..29a42090b 100644
--- a/conf/plugins/imv-attestation.conf
+++ b/conf/plugins/imv-attestation.conf
@@ -1,45 +1,8 @@
-imc-attestation {
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr17_after =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr17_before =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr17_meas =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr18_after =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr18_before =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr18_meas =
-
-}
-
 imv-attestation {
 
-    # Path to directory with AIK cacerts.
-    # cadir =
-
-    # Preferred Diffie-Hellman group.
-    # dh_group = ecp256
-
-    # Preferred measurement hash algorithm.
-    # hash_algorithm = sha256
-
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
 
-    # Enforce mandatory Diffie-Hellman groups.
-    # mandatory_dh_groups = yes
-
-    # DH minimum nonce length.
-    # min_nonce_len = 0
-
 }
 
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index f266281e6..3ad51625d 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -1,32 +1,32 @@
-charon.plugins.imv-attestation.cadir =
+libimcv.plugins.imv-attestation.cadir =
 	Path to directory with AIK cacerts.
 
-charon.plugins.imv-attestation.mandatory_dh_groups = yes
+libimcv.plugins.imv-attestation.mandatory_dh_groups = yes
 	Enforce mandatory Diffie-Hellman groups.
 
-charon.plugins.imv-attestation.dh_group = ecp256
+libimcv.plugins.imv-attestation.dh_group = ecp256
 	Preferred Diffie-Hellman group.
 
-charon.plugins.imv-attestation.hash_algorithm = sha256
+libimcv.plugins.imv-attestation.hash_algorithm = sha256
 	Preferred measurement hash algorithm.
 
-charon.plugins.imv-attestation.min_nonce_len = 0
+libimcv.plugins.imv-attestation.min_nonce_len = 0
 	DH minimum nonce length.
 
-charon.plugins.imc-attestation.pcr17_after
+libimcv.plugins.imc-attestation.pcr17_after
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr17_before
+libimcv.plugins.imc-attestation.pcr17_before
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr17_meas
+libimcv.plugins.imc-attestation.pcr17_meas
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr18_after
+libimcv.plugins.imc-attestation.pcr18_after
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr18_before
+libimcv.plugins.imc-attestation.pcr18_before
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr18_meas
+libimcv.plugins.imc-attestation.pcr18_meas
 	Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf
index 8f0da3760..f2786cc3f 100644
--- a/conf/plugins/imv-os.conf
+++ b/conf/plugins/imv-os.conf
@@ -4,8 +4,5 @@ imv-os {
     # priority of this plugin.
     load = yes
 
-    # URI pointing to operating system remediation instructions.
-    # remediation_uri =
-
 }
 
diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt
index eab926201..fe83bb66f 100644
--- a/conf/plugins/imv-os.opt
+++ b/conf/plugins/imv-os.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-os.remediation_uri =
+libimcv.plugins.imv-os.remediation_uri =
 	URI pointing to operating system remediation instructions.
diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf
index 25719d0ef..4b9da8f08 100644
--- a/conf/plugins/imv-scanner.conf
+++ b/conf/plugins/imv-scanner.conf
@@ -4,8 +4,5 @@ imv-scanner {
     # priority of this plugin.
     load = yes
 
-    # URI pointing to scanner remediation instructions.
-    # remediation_uri =
-
 }
 
diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt
index 7af87493b..d23c6bab9 100644
--- a/conf/plugins/imv-scanner.opt
+++ b/conf/plugins/imv-scanner.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-scanner.remediation_uri =
+libimcv.plugins.imv-scanner.remediation_uri =
 	URI pointing to scanner remediation instructions.
diff --git a/conf/plugins/imv-swid.conf b/conf/plugins/imv-swid.conf
new file mode 100644
index 000000000..bfd49bd1c
--- /dev/null
+++ b/conf/plugins/imv-swid.conf
@@ -0,0 +1,8 @@
+imv-swid {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/imv-swid.opt b/conf/plugins/imv-swid.opt
new file mode 100644
index 000000000..d451c78ce
--- /dev/null
+++ b/conf/plugins/imv-swid.opt
@@ -0,0 +1,5 @@
+libimcv.plugins.imv-swid.rest_api_uri = 
+	HTTP URI of the SWID REST API.
+
+libimcv.plugins.imv-swid.rest_api_timeout = 120
+	Timeout of SWID REST API HTTP POST transaction.
diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf
index 9bd248792..b268765bc 100644
--- a/conf/plugins/imv-test.conf
+++ b/conf/plugins/imv-test.conf
@@ -4,8 +4,5 @@ imv-test {
     # priority of this plugin.
     load = yes
 
-    # Number of IMC-IMV retry rounds.
-    # rounds = 0
-
 }
 
diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt
index 2cbddc8f6..196559ed7 100644
--- a/conf/plugins/imv-test.opt
+++ b/conf/plugins/imv-test.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-test.rounds = 0
+libimcv.plugins.imv-test.rounds = 0
 	Number of IMC-IMV retry rounds.
diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf
deleted file mode 100644
index 10ca30839..000000000
--- a/conf/plugins/kernel-klips.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-kernel-klips {
-
-    # Number of ipsecN devices.
-    # ipsec_dev_count = 4
-
-    # Set MTU of ipsecN device.
-    # ipsec_dev_mtu = 0
-
-    # Whether to load the plugin. Can also be an integer to increase the
-    # priority of this plugin.
-    load = yes
-
-}
-
diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt
deleted file mode 100644
index ad9806e71..000000000
--- a/conf/plugins/kernel-klips.opt
+++ /dev/null
@@ -1,5 +0,0 @@
-charon.plugins.kernel-klips.ipsec_dev_count = 4
-	Number of ipsecN devices.
-
-charon.plugins.kernel-klips.ipsec_dev_mtu = 0
-	Set MTU of ipsecN device.
diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf
index e69c029d6..17281ba73 100644
--- a/conf/plugins/load-tester.conf
+++ b/conf/plugins/load-tester.conf
@@ -16,6 +16,10 @@ load-tester {
     # Seconds to start CHILD_SA rekeying after setup.
     # child_rekey = 600
 
+    # URI to a CRL to include as certificate distribution point in generated
+    # certificates.
+    # crl =
+
     # Delay between initiatons for each thread.
     # delay = 0
 
diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt
index 7afe32618..e68adecc6 100644
--- a/conf/plugins/load-tester.opt
+++ b/conf/plugins/load-tester.opt
@@ -20,6 +20,10 @@ charon.plugins.load-tester.ca_dir =
 charon.plugins.load-tester.child_rekey = 600
 	Seconds to start CHILD_SA rekeying after setup.
 
+charon.plugins.load-tester.crl
+	URI to a CRL to include as certificate distribution point in generated
+	certificates.
+
 charon.plugins.load-tester.delay = 0
 	Delay between initiatons for each thread.
 
diff --git a/conf/plugins/vici.conf b/conf/plugins/vici.conf
new file mode 100644
index 000000000..08fa586b4
--- /dev/null
+++ b/conf/plugins/vici.conf
@@ -0,0 +1,11 @@
+vici {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Socket the vici plugin serves clients.
+    # socket = unix://${piddir}/charon.vici
+
+}
+
diff --git a/conf/plugins/vici.opt b/conf/plugins/vici.opt
new file mode 100644
index 000000000..0fca8739b
--- /dev/null
+++ b/conf/plugins/vici.opt
@@ -0,0 +1,2 @@
+charon.plugins.vici.socket = unix://${piddir}/charon.vici
+	Socket the vici plugin serves clients.