New upstream version 5.7.0

20 files changed, 227 insertions, 90 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index eb662c2e0..d7917664b 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -61,13 +61,11 @@ plugins = \
 	plugins/imc-hcd.opt \
 	plugins/imc-os.opt \
 	plugins/imc-scanner.opt \
-	plugins/imc-swid.opt \
 	plugins/imc-swima.opt \
 	plugins/imc-test.opt \
 	plugins/imv-attestation.opt \
 	plugins/imv-os.opt \
 	plugins/imv-scanner.opt \
-	plugins/imv-swid.opt \
 	plugins/imv-swima.opt \
 	plugins/imv-test.opt \
 	plugins/ipseckey.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e83d3b98f..ae4640068 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -265,7 +265,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -291,6 +290,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -311,8 +312,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -367,8 +366,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -397,8 +394,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
@@ -467,13 +468,11 @@ plugins = \
 	plugins/imc-hcd.opt \
 	plugins/imc-os.opt \
 	plugins/imc-scanner.opt \
-	plugins/imc-swid.opt \
 	plugins/imc-swima.opt \
 	plugins/imc-test.opt \
 	plugins/imv-attestation.opt \
 	plugins/imv-os.opt \
 	plugins/imv-scanner.opt \
-	plugins/imv-swid.opt \
 	plugins/imv-swima.opt \
 	plugins/imv-test.opt \
 	plugins/ipseckey.opt \
diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf
index 454405985..ed3c027dc 100644
--- a/conf/options/charon-logging.conf
+++ b/conf/options/charon-logging.conf
@@ -4,8 +4,10 @@ charon {
     # strongswan.conf(5).
     filelog {
 
-        # <filename> is the full path to the log file.
-        # <filename> {
+        # <name> may be the full path to the log file if it only contains
+        # characters permitted in section names. Is ignored if path is
+        # specified.
+        # <name> {
 
             # Loglevel for a specific subsystem.
             # <subsystem> = <default>
@@ -25,6 +27,11 @@ charon {
             # numerical identifier for each IKE_SA.
             # ike_name = no
 
+            # Optional path to the log file. Overrides the section name. Must be
+            # used if the path contains characters that aren't allowed in
+            # section names.
+            # path =
+
             # Adds the milliseconds within the current second after the
             # timestamp (separated by a dot, so time_format should end with %S
             # or %T).
diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt
index 2bbb5dce4..e850c4487 100644
--- a/conf/options/charon-logging.opt
+++ b/conf/options/charon-logging.opt
@@ -2,33 +2,38 @@ charon.filelog {}
 	Section to define file loggers, see LOGGER CONFIGURATION in
 	**strongswan.conf**(5).
 
-charon.filelog.<filename> { # }
-	<filename> is the full path to the log file.
+charon.filelog.<name> { # }
+	<name> may be the full path to the log file if it only contains
+	characters permitted in section names. Is ignored if _path_ is specified.
 
-charon.filelog.<filename>.default = 1
+charon.filelog.<name>.path =
+	Optional path to the log file. Overrides the section name. Must be used
+	if the path contains characters that aren't allowed in section names.
+
+charon.filelog.<name>.default = 1
 	Default loglevel.
 
 	Specifies the default loglevel to be used for subsystems for which no
 	specific loglevel is defined.
 
-charon.filelog.<filename>.<subsystem> = <default>
+charon.filelog.<name>.<subsystem> = <default>
 	Loglevel for a specific subsystem.
 
-charon.filelog.<filename>.append = yes
+charon.filelog.<name>.append = yes
 	If this option is enabled log entries are appended to the existing file.
 
-charon.filelog.<filename>.flush_line = no
+charon.filelog.<name>.flush_line = no
 	Enabling this option disables block buffering and enables line buffering.
 
-charon.filelog.<filename>.ike_name = no
+charon.filelog.<name>.ike_name = no
 	Prefix each log entry with the connection name and a unique numerical
 	identifier for each IKE_SA.
 
-charon.filelog.<filename>.time_format
+charon.filelog.<name>.time_format
 	Prefix each log entry with a timestamp. The option accepts a format string
 	as passed to **strftime**(3).
 
-charon.filelog.<filename>.time_add_ms = no
+charon.filelog.<name>.time_add_ms = no
 	Adds the milliseconds within the current second after the timestamp
 	(separated by a dot, so _time_format_ should end with %S or %T).
 
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 93dff172d..857ddde9b 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -274,7 +274,7 @@ charon {
         # Buffer size used for crypto benchmark.
         # bench_size = 1024
 
-        # Number of iterations to test each algorithm.
+        # Time in ms during which crypto algorithm performance is measured.
         # bench_time = 50
 
         # Test crypto algorithms during registration (requires test vectors
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index fcde5f0b5..8fb64bc25 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -52,7 +52,7 @@ charon.crypto_test.bench_size = 1024
 	Buffer size used for crypto benchmark.
 
 charon.crypto_test.bench_time = 50
-	Number of iterations to test each algorithm.
+	Time in ms during which crypto algorithm performance is measured.
 
 charon.crypto_test.on_add = no
 	Test crypto algorithms during registration (requires test vectors provided
diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf
index 88bbe36e3..c880cfa59 100644
--- a/conf/plugins/dhcp.conf
+++ b/conf/plugins/dhcp.conf
@@ -17,5 +17,9 @@ dhcp {
     # DHCP server unicast or broadcast IP address.
     # server = 255.255.255.255
 
+    # Use the DHCP server port (67) as source port when a unicast server address
+    # is configured.
+    # use_server_port = no
+
 }
 
diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt
index 6b337bc34..7c6d31c87 100644
--- a/conf/plugins/dhcp.opt
+++ b/conf/plugins/dhcp.opt
@@ -15,6 +15,21 @@ charon.plugins.dhcp.identity_lease = no
 charon.plugins.dhcp.server = 255.255.255.255
 	DHCP server unicast or broadcast IP address.
 
+charon.plugins.dhcp.use_server_port = no
+	Use the DHCP server port (67) as source port when a unicast server address
+	is configured.
+
+	Use the DHCP server port (67) as source port, instead of the DHCP client
+	port (68), when a unicast server address is configured and the plugin acts
+	as relay agent.  When replying in this mode the DHCP server will always send
+	packets to the DHCP server port and if no process binds that port an ICMP
+	port unreachables will be sent back, which might be problematic for some
+	DHCP servers.  To avoid that, enabling this option will cause the plugin to
+	bind the DHCP server port to send its requests when acting as relay agent.
+	This is not necessary if a DHCP server is already running on the same host
+	and might even cause conflicts (and since the server port is already bound,
+	ICMPs should not be an issue).
+
 charon.plugins.dhcp.interface
 	Interface name the plugin uses for address allocation.
 
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 5a486114e..24f2eaacd 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -66,6 +66,10 @@ eap-radius {
     # Number of sockets (ports) to use, increase for high load.
     # sockets = 1
 
+    # Whether to include the UDP port in the Called- and Calling-Station-Id
+    # RADIUS attributes.
+    # station_id_with_port = yes
+
     dae {
 
         # Enables support for the Dynamic Authorization Extension (RFC 5176).
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index f18a74c49..192996c73 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -108,6 +108,10 @@ charon.plugins.eap-radius.servers {}
 charon.plugins.eap-radius.sockets = 1
 	Number of sockets (ports) to use, increase for high load.
 
+charon.plugins.eap-radius.station_id_with_port = yes
+	Whether to include the UDP port in the Called- and Calling-Station-Id
+	RADIUS attributes.
+
 charon.plugins.eap-radius.xauth {}
 	Section to configure multiple XAuth authentication rounds via RADIUS.
 
diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf
deleted file mode 100644
index 4893703ad..000000000
--- a/conf/plugins/imc-swid.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-imc-swid {
-
-    # Whether to load the plugin. Can also be an integer to increase the
-    # priority of this plugin.
-    load = yes
-
-}
-
diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt
deleted file mode 100644
index e622aa683..000000000
--- a/conf/plugins/imc-swid.opt
+++ /dev/null
@@ -1,8 +0,0 @@
-libimcv.plugins.imc-swid.swid_directory = ${prefix}/share
-	Directory where SWID tags are located.
-
-libimcv.plugins.imc-swid.swid_pretty = no
-	Generate XML-encoded SWID tags with pretty indentation.
-
-libimcv.plugins.imc-swid.swid_full = no
-	Include file information in the XML-encoded SWID tags.
diff --git a/conf/plugins/imc-swima.opt b/conf/plugins/imc-swima.opt
index 099a3c80f..daa4ecadd 100644
--- a/conf/plugins/imc-swima.opt
+++ b/conf/plugins/imc-swima.opt
@@ -19,3 +19,6 @@ libimcv.plugins.imc-swima.swid_pretty = no
 
 libimcv.plugins.imc-swima.swid_full = no
 	Include file information in the XML-encoded SWID tags.
+
+libimcv.plugins.imc-swima.subscriptions = no
+	Accept SW Inventory or SW Events subscriptions.
diff --git a/conf/plugins/imv-swid.conf b/conf/plugins/imv-swid.conf
deleted file mode 100644
index bfd49bd1c..000000000
--- a/conf/plugins/imv-swid.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-imv-swid {
-
-    # Whether to load the plugin. Can also be an integer to increase the
-    # priority of this plugin.
-    load = yes
-
-}
-
diff --git a/conf/plugins/imv-swid.opt b/conf/plugins/imv-swid.opt
deleted file mode 100644
index d451c78ce..000000000
--- a/conf/plugins/imv-swid.opt
+++ /dev/null
@@ -1,5 +0,0 @@
-libimcv.plugins.imv-swid.rest_api_uri = 
-	HTTP URI of the SWID REST API.
-
-libimcv.plugins.imv-swid.rest_api_timeout = 120
-	Timeout of SWID REST API HTTP POST transaction.
diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
index 222bb7b0a..1be961e89 100644
--- a/conf/plugins/tpm.conf
+++ b/conf/plugins/tpm.conf
@@ -7,5 +7,19 @@ tpm {
     # Whether the TPM should be used as RNG.
     # use_rng = no
 
+    tcti {
+
+        # Name of TPM 2.0 TCTI library. Valid values: tabrmd, device or mssim.
+        # Defaults are device if the /dev/tpmrm0 in-kernel TPM 2.0 resource
+        # manager device exists, and tabrmd otherwise, requiring the d-bus based
+        # TPM 2.0 access broker and resource manager to be available.
+        # name = device|tabrmd
+
+        # Options for the TPM 2.0 TCTI library. Defaults are /dev/tpmrm0 if the
+        # TCTI library name is device and no options otherwise.
+        # opts = /dev/tpmrm0|<none>
+
+    }
+
 }
 
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
index cd666dde8..df7adb098 100644
--- a/conf/plugins/tpm.opt
+++ b/conf/plugins/tpm.opt
@@ -1,2 +1,12 @@
 charon.plugins.tpm.use_rng = no
 	Whether the TPM should be used as RNG.
+
+charon.plugins.tpm.tcti.name = device|tabrmd
+	Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_.
+	Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager
+	device exists, and _tabrmd_ otherwise, requiring the d-bus based TPM 2.0
+	access broker and resource manager to be available.
+
+charon.plugins.tpm.tcti.opts = /dev/tpmrm0|<none>
+	Options for the TPM 2.0 TCTI library. Defaults are _/dev/tpmrm0_ if the
+	TCTI library name is _device_ and no options otherwise.
diff --git a/conf/strongswan.conf.5.head.in b/conf/strongswan.conf.5.head.in
index 23454e758..9337c19e2 100644
--- a/conf/strongswan.conf.5.head.in
+++ b/conf/strongswan.conf.5.head.in
@@ -32,13 +32,12 @@ and key/value pairs:
 .PP
 Values must be terminated by a newline.
 .PP
-Comments are possible using the \fB#\fP-character, but be careful: The parser
-implementation is currently limited and does not like brackets in comments.
+Comments are possible using the \fB#\fP-character.
 .PP
 Section names and keys may contain any printable character except:
 .PP
 .EX
-	. { } # \\n \\t space
+	. , : { } = " # \\n \\t space
 .EE
 .PP
 An example file in this format might look like this:
@@ -60,6 +59,71 @@ An example file in this format might look like this:
 .PP
 Indentation is optional, you may use tabs or spaces.
 
+
+.SH REFERENCING OTHER SECTIONS
+It is possible to inherit settings and sections from another section. This
+feature is mainly useful in swanctl.conf (which uses the same file format).
+The syntax is as follows:
+.PP
+.EX
+	section    := name : references { settings }
+	references := absname[, absname]*
+	absname    := name[.name]*
+.EE
+.PP
+All key/value pairs and all subsections of the referenced sections will be
+inherited by the section that references them via their absolute name. Values
+may be overridden in the section or any of its sub-sections (use an empty
+assignment to clear a value so its default value, if any, will apply). It is
+currently not possible to limit the inclusion level or clear/remove inherited
+sub-sections.
+
+If the order is important (e.g. for auth rounds in a connection, if \fIround\fR
+is not used), it should be noted that inherited settings/sections will follow
+those defined in the current section (if multiple sections are referenced, their
+settings are enumerated left to right).
+
+References are evaluated dynamically at runtime, so referring to sections later
+in the config file or included via other files is no problem.
+
+Here is an example of how this might look like:
+.PP
+.EX
+	conn-defaults {
+		# default settings for all conns (e.g. a cert, or IP pools)
+	}
+	eap-defaults {
+		# defaults if eap is used (e.g. a remote auth round)
+	}
+	child-defaults {
+		# defaults for child configs (e.g. traffic selectors)
+	}
+	connections {
+		conn-a : conn-defaults, eap-defaults {
+			# set/override stuff specific to this connection
+			children {
+				child-a : child-defaults {
+					# set/override stuff specific to this child
+				}
+			}
+		}
+		conn-b : conn-defaults {
+			# set/override stuff specific to this connection
+			children {
+				child-b : child-defaults {
+					# set/override stuff specific to this child
+				}
+			}
+		}
+		conn-c : connections.conn-a {
+			# everything is inherited, including everything conn-a
+			# already inherits from the sections it and its
+			# sub-section reference
+		}
+	}
+.EE
+.PP
+
 .SH INCLUDING FILES
 Using the
 .B include
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index f83211805..486ee5af9 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -85,7 +85,7 @@ Buffer size used for crypto benchmark.
 
 .TP
 .BR charon.crypto_test.bench_time " [50]"
-Number of iterations to test each algorithm.
+Time in ms during which crypto algorithm performance is measured.
 
 .TP
 .BR charon.crypto_test.on_add " [no]"
@@ -155,41 +155,49 @@ Section to define file loggers, see LOGGER CONFIGURATION in
 
 
 .TP
-.B charon.filelog.<filename>
+.B charon.filelog.<name>
 .br
-<filename> is the full path to the log file.
+<name> may be the full path to the log file if it only contains characters
+permitted in section names. Is ignored if
+.RI "" "path" ""
+is specified.
 
 .TP
-.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+.BR charon.filelog.<name>.<subsystem> " [<default>]"
 Loglevel for a specific subsystem.
 
 .TP
-.BR charon.filelog.<filename>.append " [yes]"
+.BR charon.filelog.<name>.append " [yes]"
 If this option is enabled log entries are appended to the existing file.
 
 .TP
-.BR charon.filelog.<filename>.default " [1]"
+.BR charon.filelog.<name>.default " [1]"
 Specifies the default loglevel to be used for subsystems for which no specific
 loglevel is defined.
 
 .TP
-.BR charon.filelog.<filename>.flush_line " [no]"
+.BR charon.filelog.<name>.flush_line " [no]"
 Enabling this option disables block buffering and enables line buffering.
 
 .TP
-.BR charon.filelog.<filename>.ike_name " [no]"
+.BR charon.filelog.<name>.ike_name " [no]"
 Prefix each log entry with the connection name and a unique numerical identifier
 for each IKE_SA.
 
 .TP
-.BR charon.filelog.<filename>.time_add_ms " [no]"
+.BR charon.filelog.<name>.path " []"
+Optional path to the log file. Overrides the section name. Must be used if the
+path contains characters that aren't allowed in section names.
+
+.TP
+.BR charon.filelog.<name>.time_add_ms " [no]"
 Adds the milliseconds within the current second after the timestamp (separated
 by a dot, so
 .RI "" "time_format" ""
 should end with %S or %T).
 
 .TP
-.BR charon.filelog.<filename>.time_format " []"
+.BR charon.filelog.<name>.time_format " []"
 Prefix each log entry with a timestamp. The option accepts a format string as
 passed to
 .RB "" "strftime" "(3)."
@@ -556,6 +564,18 @@ DHCP server.
 DHCP server unicast or broadcast IP address.
 
 .TP
+.BR charon.plugins.dhcp.use_server_port " [no]"
+Use the DHCP server port (67) as source port, instead of the DHCP client port
+(68), when a unicast server address is configured and the plugin acts as relay
+agent.  When replying in this mode the DHCP server will always send packets to
+the DHCP server port and if no process binds that port an ICMP port unreachables
+will be sent back, which might be problematic for some DHCP servers.  To avoid
+that, enabling this option will cause the plugin to bind the DHCP server port to
+send its requests when acting as relay agent. This is not necessary if a DHCP
+server is already running on the same host and might even cause conflicts (and
+since the server port is already bound, ICMPs should not be an issue).
+
+.TP
 .BR charon.plugins.dnscert.enable " [no]"
 Enable fetching of CERT RRs via DNS.
 
@@ -778,6 +798,11 @@ and
 Number of sockets (ports) to use, increase for high load.
 
 .TP
+.BR charon.plugins.eap-radius.station_id_with_port " [yes]"
+Whether to include the UDP port in the Called\- and Calling\-Station\-Id RADIUS
+attributes.
+
+.TP
 .B charon.plugins.eap-radius.xauth
 .br
 Section to configure multiple XAuth authentication rounds via RADIUS. The
@@ -1660,6 +1685,32 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
 Send a PB\-TNC batch with a modified PB\-TNC version.
 
 .TP
+.BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
+Name of TPM 2.0 TCTI library. Valid values:
+.RI "" "tabrmd" ","
+.RI "" "device" ""
+or
+.RI "" "mssim" "."
+Defaults are
+.RI "" "device" ""
+if the
+.RI "" "/dev/tpmrm0" ""
+in\-kernel TPM 2.0 resource manager
+device exists, and
+.RI "" "tabrmd" ""
+otherwise, requiring the d\-bus based TPM 2.0 access
+broker and resource manager to be available.
+
+.TP
+.BR charon.plugins.tpm.tcti.opts " [/dev/tpmrm0|<none>]"
+Options for the TPM 2.0 TCTI library. Defaults are
+.RI "" "/dev/tpmrm0" ""
+if the TCTI
+library name is
+.RI "" "device" ""
+and no options otherwise.
+
+.TP
 .BR charon.plugins.tpm.use_rng " [no]"
 Whether the TPM should be used as RNG.
 
@@ -2191,23 +2242,15 @@ Send operating system info without being prompted.
 Send open listening ports without being prompted.
 
 .TP
-.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]"
-Directory where SWID tags are located.
-
-.TP
-.BR libimcv.plugins.imc-swid.swid_full " [no]"
-Include file information in the XML\-encoded SWID tags.
-
-.TP
-.BR libimcv.plugins.imc-swid.swid_pretty " [no]"
-Generate XML\-encoded SWID tags with pretty indentation.
-
-.TP
 .BR libimcv.plugins.imc-swima.eid_epoch " [0x11223344]"
 Set 32 bit epoch value for event IDs manually if software collector database is
 not available.
 
 .TP
+.BR libimcv.plugins.imc-swima.subscriptions " [no]"
+Accept SW Inventory or SW Events subscriptions.
+
+.TP
 .BR libimcv.plugins.imc-swima.swid_database " []"
 URI to software collector database containing event timestamps, software
 creation and deletion events and collected software identifiers. If it contains
@@ -2274,14 +2317,6 @@ URI pointing to operating system remediation instructions.
 URI pointing to scanner remediation instructions.
 
 .TP
-.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]"
-Timeout of SWID REST API HTTP POST transaction.
-
-.TP
-.BR libimcv.plugins.imv-swid.rest_api_uri " []"
-HTTP URI of the SWID REST API.
-
-.TP
 .BR libimcv.plugins.imv-swima.rest_api.timeout " [120]"
 Timeout of SWID REST API HTTP POST transaction.
 
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
index a93fe020a..4dd177ca0 100644
--- a/conf/strongswan.conf.5.tail.in
+++ b/conf/strongswan.conf.5.tail.in
@@ -15,12 +15,15 @@ does not have any effect.
 There are currently two types of loggers:
 .TP
 .B File loggers
-Log directly to a file and are defined by specifying the full path to the
-file as subsection in the
+Log directly to a file and are defined by specifying an arbitrarily named
+subsection in the
 .B charon.filelog
-section. To log to the console the two special filenames
+section. The full path to the file is configured in the \fIpath\fR setting of
+that subsection, however, if it only contains characters permitted in section
+names, the setting may also be omitted and the path specified as name of the
+subsection. To log to the console the two special filenames
 .BR stdout " and " stderr
-can be used.
+may be used.
 .TP
 .B Syslog loggers
 Log into a syslog facility and are defined by specifying the facility to log to
@@ -108,7 +111,8 @@ Also include sensitive material in dumps, e.g. keys
 .EX
 	charon {
 		filelog {
-			/var/log/charon.log {
+			charon {
+				path = /var/log/charon.log
 				time_format = %b %e %T
 				append = no
 				default = 1
@@ -290,7 +294,7 @@ For public key authentication, the responder uses the
 identity. For the initiator, each connection attempt uses a different identity
 in the form
 .BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
-where the first number inidicates the client number, the second the
+where the first number indicates the client number, the second the
 authentication round (if multiple authentication rounds are used).
 .PP
 For PSK authentication, FQDN identities are used. The server uses