Imported Upstream version 5.3.0

12 files changed, 170 insertions, 18 deletions

diff --git a/conf/plugins/bliss.conf b/conf/plugins/bliss.conf
new file mode 100644
index 000000000..e35c27dc4
--- /dev/null
+++ b/conf/plugins/bliss.conf
@@ -0,0 +1,11 @@
+bliss {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Use the enhanced BLISS-B key generation and signature algorithm.
+    # use_bliss_b = yes
+
+}
+
diff --git a/conf/plugins/bliss.opt b/conf/plugins/bliss.opt
new file mode 100644
index 000000000..0983da026
--- /dev/null
+++ b/conf/plugins/bliss.opt
@@ -0,0 +1,2 @@
+charon.plugins.bliss.use_bliss_b = yes
+	Use the enhanced BLISS-B key generation and signature algorithm.
diff --git a/conf/plugins/forecast.conf b/conf/plugins/forecast.conf
new file mode 100644
index 000000000..79edb4bc8
--- /dev/null
+++ b/conf/plugins/forecast.conf
@@ -0,0 +1,17 @@
+forecast {
+
+    # Multicast groups to join locally, allowing forwarding of them.
+    # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+
+    # Local interface to listen for broadcasts to forward.
+    # interface =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # CHILD_SA configurations names to perform multi/broadcast reinjection.
+    # reinject =
+
+}
+
diff --git a/conf/plugins/forecast.opt b/conf/plugins/forecast.opt
new file mode 100644
index 000000000..444cced63
--- /dev/null
+++ b/conf/plugins/forecast.opt
@@ -0,0 +1,29 @@
+charon.plugins.forecast.interface =
+	Local interface to listen for broadcasts to forward.
+
+	Name of the local interface to listen for broadcasts messages to forward.
+	If no interface is configured, the first usable interface is used, which
+	is usually just fine for single-homed hosts. If your host has multiple
+	interfaces, set this option to the local LAN interface you want to forward
+	broadcasts from/to.
+
+charon.plugins.forecast.reinject =
+	CHILD_SA configurations names to perform multi/broadcast reinjection.
+
+	Comma separated list of CHILD_SA configuration names for which to perform
+	multi/broadcast reinjection. For clients connecting over such a
+	configuration, any multi/broadcast received over the tunnel gets reinjected
+	to all active tunnels. This makes the broadcasts visible to other peers,
+	and for examples allows clients to see others shares. If disabled,
+	multi/broadcast messages received over a tunnel are injected to the local
+	network only, but not to other IPsec clients.
+
+charon.plugins.forecast.groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+	Multicast groups to join locally, allowing forwarding of them.
+
+	Comma separated list of multicast groups to join locally. The local host
+	receives and forwards packets in the local LAN for joined multicast groups
+	only. Packets matching the list of multicast groups get forwarded to
+	connected clients. The default group includes host multicasts, IGMP, mDNS,
+	LLMNR and SSDP/WS-Discovery, and is usually a good choice for Windows
+	clients.
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9b60b9ede..7a40bc962 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -18,3 +18,21 @@ libimcv.plugins.imc-attestation.use_quote2 = yes
 
 libimcv.plugins.imc-attestation.pcr_info = no
 	Whether to send pcr_before and pcr_after info.
+
+libimcv.plugins.imc-attestation.pcr17_before =
+        PCR17 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr17_meas =
+        Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+
+libimcv.plugins.imc-attestation.pcr17_after =
+        PCR17 value after measurement.
+
+libimcv.plugins.imc-attestation.pcr18_before =
+        PCR18 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr18_meas =
+       Dummy measurement value extended into PCR17 if the TBOOT log is not available. 
+
+libimcv.plugins.imc-attestation.pcr18_after =
+        PCR18 value after measurement.
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index 3ad51625d..f55225023 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -12,21 +12,3 @@ libimcv.plugins.imv-attestation.hash_algorithm = sha256
 
 libimcv.plugins.imv-attestation.min_nonce_len = 0
 	DH minimum nonce length.
-
-libimcv.plugins.imc-attestation.pcr17_after
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_before
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_meas
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_after
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_before
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_meas
-	Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index f05f486b1..723bf0a49 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -4,6 +4,9 @@ kernel-netlink {
     # routing table.
     # fwmark =
 
+    # Whether to ignore errors potentially resulting from a retransmission.
+    # ignore_retransmit_errors = no
+
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
@@ -14,6 +17,21 @@ kernel-netlink {
     # MTU to set on installed routes, 0 to disable.
     # mtu = 0
 
+    # Whether to perform concurrent Netlink ROUTE queries on a single socket.
+    # parallel_route = no
+
+    # Whether to perform concurrent Netlink XFRM queries on a single socket.
+    # parallel_xfrm = no
+
+    # Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+    # policy_update = no
+
+    # Whether to use port or socket based IKE XFRM bypass policies.
+    # port_bypass = no
+
+    # Number of Netlink message retransmissions to send on timeout.
+    # retries = 0
+
     # Whether to trigger roam events when interfaces, addresses or routes
     # change.
     # roam_events = yes
@@ -22,6 +40,9 @@ kernel-netlink {
     # mode IPsec SAs in the kernel.
     # set_proto_port_transport_sa = no
 
+    # Netlink message retransmission timeout, 0 to disable retransmissions.
+    # timeout = 0
+
     # Lifetime of XFRM acquire state in kernel.
     # xfrm_acq_expires = 165
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 7d44581a5..800ba20c0 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -13,6 +13,29 @@ charon.plugins.kernel-netlink.mss = 0
 charon.plugins.kernel-netlink.mtu = 0
 	MTU to set on installed routes, 0 to disable.
 
+charon.plugins.kernel-netlink.parallel_route = no
+	Whether to perform concurrent Netlink ROUTE queries on a single socket.
+
+	Whether to perform concurrent Netlink ROUTE queries on a single socket.
+	While parallel queries can improve throughput, it has more overhead. On
+	vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
+	decreasing performance.
+
+charon.plugins.kernel-netlink.parallel_xfrm = no
+	Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+charon.plugins.kernel-netlink.policy_update = no
+	Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+charon.plugins.kernel-netlink.port_bypass = no
+	Whether to use port or socket based IKE XFRM bypass policies.
+
+	Whether to use port or socket based IKE XFRM bypass policies.
+	IKE bypass policies are used to exempt IKE traffic from XFRM processing.
+	The default socket based policies are directly tied to the IKE UDP sockets,
+	port based policies use global XFRM bypass policies for the used IKE UDP
+	ports.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
@@ -25,6 +48,15 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
 	traffic, it also prevents the use of a single IPsec SA by more than one
 	traffic selector.
 
+charon.plugins.kernel-netlink.retries = 0
+	Number of Netlink message retransmissions to send on timeout.
+
+charon.plugins.kernel-netlink.timeout = 0
+	Netlink message retransmission timeout, 0 to disable retransmissions.
+
+charon.plugins.kernel-netlink.ignore_retransmit_errors = no
+	Whether to ignore errors potentially resulting from a retransmission.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.
 
diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf
new file mode 100644
index 000000000..2d4733e74
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.conf
@@ -0,0 +1,11 @@
+kernel-pfkey {
+
+    # Size of the receive buffer for the event socket (0 for default size).
+    # events_buffer_size = 0
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt
new file mode 100644
index 000000000..ec05215d3
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.opt
@@ -0,0 +1,7 @@
+charon.plugins.kernel-pfkey.events_buffer_size = 0
+	Size of the receive buffer for the event socket (0 for default size).
+
+	Size of the receive buffer for the event socket (0 for default size).
+	Because events are received asynchronously installing e.g. lots of policies
+	may require a larger buffer than the default on certain platforms in order
+	to receive all messages.
diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf
index 9a57ee14d..e8c45ae5c 100644
--- a/conf/plugins/tnccs-20.conf
+++ b/conf/plugins/tnccs-20.conf
@@ -10,5 +10,18 @@ tnccs-20 {
     # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
     # max_message_size = 65490
 
+    # Enable PB-TNC mutual protocol.
+    # mutual = no
+
+    tests {
+
+        # Send an unsupported PB-TNC message type with the NOSKIP flag set.
+        # pb_tnc_noskip = no
+
+        # Send a PB-TNC batch with a modified PB-TNC version.
+        # pb_tnc_version = 2
+
+    }
+
 }
 
diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt
index b15bc3fa1..8d16d1cb2 100644
--- a/conf/plugins/tnccs-20.opt
+++ b/conf/plugins/tnccs-20.opt
@@ -3,3 +3,12 @@ charon.plugins.tnccs-20.max_batch_size = 65522
 
 charon.plugins.tnccs-20.max_message_size = 65490
 	Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
+
+charon.plugins.tnccs-20.mutual = no
+        Enable PB-TNC mutual protocol.
+
+charon.plugins.tnccs-20.tests.pb_tnc_noskip = no
+        Send an unsupported PB-TNC message type with the NOSKIP flag set.
+
+charon.plugins.tnccs-20.tests.pb_tnc_version = 2
+        Send a PB-TNC batch with a modified PB-TNC version.